Daros Systems, Inc.(“Daros,” “we”) engages the third parties listed below to help deliver the Provendorprocurement platform (the “Service”). Each sub-processor is bound by a written agreement imposing data protection obligations substantially similar to those in our Data Processing Addendum. This page supplements our Privacy Policy and is incorporated by reference into the DPA as Annex III.
We will provide at least 30 days' advance notice of any new sub-processor that will Process Customer Personal Data by updating this page. Customers who wish to receive email notifications of changes may subscribe by emailing dpa@provendor.io. Customers may object to a new sub-processor on reasonable data-protection grounds as described in Section 8 of the DPA.
| Vendor | Service | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, storage, compute, managed databases | All Customer Content and account data stored or processed by the Service | United States (us-east-1) and European Union (eu-west-1) |
| Vercel Inc. | Edge hosting and CDN for marketing site and application frontend | Request metadata, IP addresses, application assets | Global (edge network); primary regions US and EU |
| Vendor | Service | Data processed | Location |
|---|---|---|---|
| Resend, Inc. | Transactional email delivery (invites, notifications, vendor BCC) | Email addresses, subject lines, message bodies, delivery metadata | United States |
Analytics sub-processors are loaded only on the public marketing site (provendor.io) and only after a visitor consents via the cookie banner. They are not used inside the authenticated application.
| Vendor | Service | Data processed | Location |
|---|---|---|---|
| Google LLC | Google Analytics 4 and Google Tag Manager (marketing site only; consent-gated) | Pseudonymous identifiers, IP-derived country, page/event telemetry | United States |
| Microsoft Corporation | Microsoft Clarity session replay and heatmaps (marketing site only; consent-gated) | Masked page interactions, viewport data, pseudonymous session IDs | United States |
When AI assist features are used, relevant Customer Content is transmitted to the model providers below solely to generate the requested output. Under our contractual arrangements, these providers do not use Customer Content to train their foundation models.
| Vendor | Service | Data processed | Location |
|---|---|---|---|
| Anthropic PBC | Large language model inference for AI assist features | Text prompts derived from Customer Content; not used to train third-party models | United States |
| OpenAI, L.L.C. | Large language model inference and embeddings for AI assist features | Text prompts derived from Customer Content; not used to train third-party models | United States |
Billing sub-processors are engaged only where Customer has subscribed to a paid plan. Payment card data is collected and processed directly by the billing provider and does not transit our infrastructure.
| Vendor | Service | Data processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing (when paid plans are enabled) | Billing contact, billing address, tax ID, transaction metadata (card data collected directly by Stripe) | United States and European Union |
Daros may engage affiliates under common control as internal sub-processors subject to the same data protection obligations. No customer-facing affiliates are currently engaged.
Where a sub-processor Processes Personal Data outside the EEA, UK, or Switzerland, Daros relies on the Standard Contractual Clauses (and UK IDTA where applicable) as described in Section 9 of the DPA.
Questions about sub-processors or to subscribe to change notifications, email dpa@provendor.io.