β Back
Sub-processors
Last updated: 2026-05-17
In line with GDPR art. 28 and partner-platform sub-processor obligations (DPA), Fleuret AI maintains the exhaustive list of its sub-processors below. Any addition or change is notified in writing to customers 30 days in advance, at the contractual email address.
Active sub-processors
| Vendor | Country | Purpose | Data processed | DPA |
|---|---|---|---|---|
| Scaleway SAS | π«π· France (Paris) | Application hosting, PostgreSQL database, LLM inference (gpt-oss, Kimi K2.5) on H100 GPUs | Customer data (workspaces, scans, findings, reports), tenant metadata | Link |
| Supabase, Inc. | πͺπΊ EU (eu-west-3, Frankfurt) | Authentication, central database (profiles, billing, metadata), Edge Functions | User credentials, sessions, billing data | Link |
| Vercel, Inc. | π«π· fra1 (Paris) | Static frontend hosting fleuret.ai + serverless API functions | Navigation metadata. No sensitive customer data. | Link |
| Resend | πͺπΊ EU | Transactional email (findings notifications, report-ready alerts) | Recipient email addresses, send metadata | Link |
| Make.com (Celonis) | π¨πΏ Czech Republic (EU) | Airtable β Google Sheets sync for internal pipeline | No customer data. Internal commercial metadata only. | Link |
| Slack Technologies (Salesforce) | πΊπΈ United States | Internal team communication | No customer data. Internal communications only. | Link |
| Granola | πΊπΈ United States | Internal meeting notes | No customer data. Internal notes only. | Link |
| Google LLC (Google Analytics 4) | πΊπΈ United States (EU endpoint) | Anonymized audience measurement on fleuret.ai. Hits routed through region1.google-analytics.com (European endpoint) with anonymize_ip=true. Consent Mode v2 (denied by default, granted only after cookie banner acceptance). | Navigation metadata (page views, session duration, browser). No customer data. IP anonymized server-side. | Link |
| Microsoft Corporation (Clarity) | πΊπΈ United States | Heatmaps and aggregated session recordings (mouse movement, clicks, scroll) on fleuret.ai. Form inputs and sensitive fields masked by default. Explicit consent required via cookie banner. | Aggregated UI interactions. No form input captured. No product-platform customer data. | Link |
Under evaluation (Q3 2026)
- Stripe (EU) Β· Customer billing + card payments
- Plain (EU) Β· Customer support (Q3 2026)
- Sentry (EU) Β· Application error monitoring
Data residency
- Customer data (workspaces, scans, findings, reports): stored exclusively in France (Scaleway Paris) and the EU region (Supabase eu-west-3).
- LLM inference: open-weight models (gpt-oss, Kimi K2.5) served on Scaleway GPU France. No third-party LLM API calls (OpenAI, Anthropic, Google).
- Frontend / API: Vercel fra1 region (Paris).
- Transactional email: Resend EU region.
- Backups: AES-256 encrypted, stored on Scaleway France (geographically separated zone).
GDPR safeguards
- All listed sub-processors have a signed DPA with Fleuret AI matching EU Standard Contractual Clauses.
- For non-EU sub-processors (Slack, Granola, internal data only), Fleuret applies GDPR-compliant transfer mechanisms (2021 SCCs + transfer impact assessment).
- No sub-processor processes personally identifiable customer data outside the EU.
Change notification
- Active customers: email at the contractual address, 30 days before the change takes effect.
- Distribution partners under MSA: extra notification to the partner's technical contact.
- Public: this page is updated.
Contact
- Sub-processor questions: yanis@fleuret.ai
- Responsible disclosure: security@fleuret.ai