Legal
Subprocessor Registry
Last updated: April 23, 2026. This registry lists providers that may process personal data to operate Corelyx or execute workflows you explicitly configure. Customer-configured providers may require separate customer account settings, DPAs, SCCs, or transfer assessments.
| Provider | Purpose | Data categories | Region | EU-only | Transfer basis | DPA | SCC | Retention | Optional | Default use | Last reviewed |
|---|---|---|---|---|---|---|---|---|---|---|---|
Supabase database Always | Database, authentication, realtime APIs, and Vault-backed secret references. | Account data, Workflow schemas, Runs, Approvals, Connection metadata, Secret references | Configured Supabase project region, expected EU for Corelyx production. | Yes | DPA and SCCs where the configured project or subprocessors involve third-country processing. | Available | Available where needed | Controlled by Corelyx database retention settings and Supabase backup rotation. | Required | Default | 2026-05-27 |
Vercel hosting Always | Hosts the Next.js web app, API routes, static assets, and deployment logs. | Request metadata, IP addresses, Application logs, Rendered application data | Global CDN; server compute depends on project region configuration. | Yes | DPA and transfer addendum; EU-only support depends on project routing and log configuration. | Available | Available where needed | Deployment and request logs follow Vercel account retention and Corelyx log minimisation settings. | Required | Default | 2026-05-27 |
Railway hosting Always | Hosts the Python workflow runtime used for execution steps. | Workflow execution payloads, Runtime logs, Connector requests and responses | Configured Railway service region. | Yes | DPA and SCCs where the runtime or subprocessors involve third-country processing. | Available | Available where needed | Runtime logs are minimised and governed by workspace retention settings where technically available. | Required | Default | 2026-05-27 |
Inngest orchestration Always | Schedules, retries, event dispatch, and asynchronous workflow orchestration. | Event metadata, Function payloads, Retry state, Timing data | Provider-managed cloud location based on the configured Inngest account. | No | DPA and SCCs required if personal data is sent through orchestration events. | Available | Available where needed | Event retention depends on the Inngest account and should not include secrets or full payloads in EU-only mode. | Required | Default | 2026-05-27 |
Resend Only when transactional email is sent | Transactional email for approvals, failures, account, and billing notices. | Recipient email, Sender details, Subject lines, Notification content | United States for account data, email metadata, logs, and API records. | No | DPA and SCCs required for EEA personal data. | Available | Available where needed | Provider email logs follow Resend retention; Corelyx avoids sending secrets in notifications. | Required | Customer enabled | 2026-05-27 |
Stripe payments Only when billing features are used | Checkout, subscriptions, invoices, payment processing, and fraud prevention. | Billing contact data, Subscription metadata, Invoice records, Payment and fraud signals | Provider-managed financial infrastructure. | No | DPA, SCCs, adequacy mechanisms, and payment-law processing roles depending on account setup. | Available | Available where needed | Billing and tax data is retained as required by law. | Required | Customer enabled | 2026-05-27 |
OpenAI llm Only when selected or configured | Optional model inference for workflow agent nodes and model operations. | Prompts, System instructions, Selected workflow inputs, Model outputs, Usage metadata | United States by default unless eligible European data residency is configured in the customer or platform account. | Yes | DPA and SCCs unless an eligible EU-resident project is verified for the workspace. | Available | Available where needed | Retention depends on account, API project, abuse monitoring, and zero-data-retention settings. | Optional | Customer enabled | 2026-05-27 |
Anthropic llm Only when selected or configured | Optional model inference for workflow agent nodes. | Prompts, System instructions, Selected workflow inputs, Model outputs, Usage metadata | United States for customer data unless otherwise agreed. | No | DPA and SCCs required for EEA personal data. | Available | Available where needed | Commercial API retention is provider-controlled and subject to policy and abuse-monitoring exceptions. | Optional | Customer enabled | 2026-05-27 |
OpenRouter llm Always active when using the Corelyx platform key. Also active when customer configures their own OpenRouter API key. | LLM routing layer used by the Corelyx platform key to execute agent nodes. Also optionally used when a customer configures their own OpenRouter API key. | Prompts, System instructions, Selected workflow inputs, Model outputs, Provider routing metadata | Provider-managed global infrastructure. EU routing available on enterprise OpenRouter accounts. | No | No signed DPA or SCCs currently in place. Corelyx is pursuing an enterprise DPA with OpenRouter. Until completed, customers should treat OpenRouter as a third-country transfer risk and avoid routing special-category or high-risk personal data through the Corelyx platform key. | Missing / customer review required | Missing / required before use | OpenRouter states prompts are not used for training and are not retained beyond request processing by default. Verify current policy at openrouter.ai/privacy. | Required | Default | 2026-05-27 |
connector Sign-In available to all users. Workflow connectors only if explicitly connected by the customer. | Google Sign-In (OAuth authentication available to all users). Optionally also used for Gmail, Calendar, Docs, Drive, and Sheets workflow actions when explicitly connected. | Profile data and email address (Sign-In), Mailbox and file metadata (if connected), Message and document content (if connected), Calendar data (if connected), Workflow payloads (if connected) | Provider-managed; depends on Google account, Workspace region, and service. | Yes | Google terms, DPA, SCCs, and customer tenant controls. | Available | Available where needed | Sign-In profile data retained for the life of the account. Connector data retention is controlled by the connected Google account or tenant. | Required | Default | 2026-05-27 |
Customer-configured HTTP endpoint connector Only if enabled by the customer | Customer-configured webhook or HTTP connector calls to arbitrary public endpoints. | Workflow payloads selected by the customer | Customer-configured destination. | No | Customer must document recipient, DPA, SCCs, and transfer basis before personal-data use. | Missing / customer review required | Missing / required before use | Retention is controlled by the customer-configured endpoint. | Optional | Customer enabled | 2026-05-27 |
Change notice
Corelyx will provide at least 30 days advance notice before adding or replacing a subprocessor that processes customer personal data, unless urgent security, availability, or legal requirements make advance notice impracticable.
See the DPA and Data Residency pages for processor terms and regional controls.