This page lists the subprocessors that may process Customer Personal Data in connection with the Services, as referenced in our Data Processing Addendum. We keep the list current and notify customers of changes as described below.
1 How we choose and manage subprocessors
Before engaging a subprocessor, we assess its security and privacy practices and enter into a written contract that imposes data protection obligations no less protective than those in our DPA. Subprocessors may process Customer Personal Data only to provide their service to us, only on our instructions, and must maintain appropriate security measures and report incidents to us. We remain responsible to you for their performance.
2 Current subprocessors
The following third parties may process Customer Personal Data to provide the Services. Some, such as the AI providers and accounting sync, are used only when you enable the related feature or integration.
| Subprocessor | Purpose | Primary region |
|---|---|---|
| Supabase | Managed Postgres database, authentication, object/file storage, and realtime — the core hosting and data layer for the Services. | United States / EU |
| Anthropic | AI model provider for the Aria assistant (Claude), used when you select Claude as your AI provider. | United States |
| AI model provider for the Aria assistant (Gemini), used when you select Gemini as your AI provider. | United States | |
| Stripe | Payment processing for subscriptions and invoices. Card data is handled by Stripe; we do not store full card numbers. | United States / global |
| Intuit (QuickBooks) | Optional accounting synchronization, used only if you connect QuickBooks to your workspace. | United States |
| Transactional email provider | Delivery of transactional and notification emails, such as sign-in, receipts, and workspace alerts. | United States / EU |
3 Infrastructure and hosting
Our core infrastructure — database, authentication, file storage, and realtime — runs on managed cloud infrastructure operated by our hosting subprocessor, which in turn relies on certified underlying cloud data centers for physical security.
4 Notification of changes
When we add or replace a subprocessor that processes Customer Personal Data, we will update this page and, at least 30 days before the new subprocessor begins processing, notify customers who have subscribed to subprocessor change notices. To subscribe, email privacy@stelaah.com.
5 Objecting to a change
If you have a reasonable, data protection–related objection to a new subprocessor, tell us within the notice period and we will work in good faith to address it. If we cannot, you may, as your sole remedy, terminate the affected Services as described in the DPA.
6 Contact
Questions about our subprocessors? Email privacy@stelaah.com.
Questions about this policy? Email legal@stelaah.com.
Back to top