bbuildr-plannr
Log inStart free

Subprocessors

Vendor transparency for governed agent planning.

This list identifies vendors that operate, secure, bill, monitor, or support buildr-plannr. It documents purpose, region, data categories, status, and the update process used before material vendor changes reach customer data.

cloud infrastructure

Amazon Web Services

active

Hosts application runtime, networking, storage, logs, backups, queues, deployment roles, and infrastructure evidence.

Region

Primary application infrastructure in EU AWS regions; CloudFront and edge services may process requests globally.

Data categories

  • workspace metadata
  • project and issue records
  • agent task contracts
  • verification evidence
  • operational logs
  • backup exports

Customer content is kept in environment-specific AWS accounts and encrypted with AWS-managed encryption unless a customer contract requires a different posture.

authentication

Amazon Cognito

active

Provides user pools, app clients, token issuance, password reset, signup verification, optional MFA, and hosted UI federation.

Region

Same AWS region as the deployed environment unless an enterprise identity design requires otherwise.

Data categories

  • user identifiers
  • email addresses
  • authentication events
  • identity provider claims
  • session token metadata

Cognito identity data is separated from workspace records and governed through environment-specific callback and logout URLs.

billing

Stripe

planned

Processes checkout, subscriptions, invoices, payment method references, billing portal sessions, webhooks, and entitlement events.

Region

Stripe-managed regions with customer billing records governed by Stripe's data processing terms.

Data categories

  • billing contact details
  • customer identifiers
  • subscription metadata
  • invoice references
  • entitlement state

Payment card data is handled by Stripe. buildr-plannr stores Stripe identifiers and entitlement snapshots, not raw card data.

monitoring

Amazon CloudWatch

active

Collects application logs, deployment health signals, metrics, alarms, and operational diagnostics.

Region

Same AWS account and region as each deployed environment; edge metrics may be global.

Data categories

  • request metadata
  • redacted operational logs
  • error summaries
  • deployment health data
  • audit-adjacent diagnostics

Logs must redact tokens, secrets, private context, and full customer email values before ingestion.

analytics

Product analytics provider

conditional

Measures acquisition, activation, conversion, workspace adoption, and launch readiness without collecting sensitive issue bodies.

Region

Provider region to be confirmed before enabling production analytics.

Data categories

  • pseudonymous workspace identifiers
  • plan tier
  • feature usage events
  • activation milestones
  • marketing attribution metadata

Analytics must exclude secrets, tokens, raw prompts, private issue content, and full customer payloads.

email

Transactional email provider

conditional

Sends signup verification, password reset, support, billing, incident, and lifecycle messages.

Region

Provider region depends on the selected Cognito email sender and support-mail setup.

Data categories

  • email addresses
  • workspace role labels
  • message delivery metadata
  • support case references
  • billing lifecycle state

Email templates must avoid sensitive issue content, agent prompts, secrets, and customer-owned source material.

support

Customer support tooling

planned

Handles support intake, severity routing, account recovery, refund requests, enterprise security review, and incident communication.

Region

Provider region to be confirmed before production support launch.

Data categories

  • contact details
  • support request content
  • severity and routing metadata
  • account recovery evidence
  • enterprise review references

Support records should use redacted references and avoid raw credentials, Cognito tokens, Stripe secrets, and private customer source material.

Notification process

Enterprise customers receive notice through their nominated security or legal contact before material subprocessor changes when required by contract.

Emergency replacements may proceed to protect service security or availability, with notice and evidence captured as soon as practical.

Identify

Service owner

Open a Linear issue before adding, replacing, or removing a vendor that can access customer or workspace data.

Assess

Security owner

Record the subprocessor purpose, region, data categories, transfer posture, retention, security terms, and whether a DPA or contract update is required.

Approve

Founder or enterprise owner

Approve the subprocessor change before production traffic or customer data is sent to the vendor.

Notify

Customer trust owner

Publish the updated list and notify affected enterprise customers through the contractually agreed notice channel before material changes take effect.

Review

Operations owner

Review the subprocessor list at least quarterly and during every enterprise security review.

Related review material

The Markdown source lives at docs/security/subprocessors.md.

PrivacyDPASecurityWhitepaperSSO guideLegal support