Subprocessor List
Last Updated: March 15, 2026
AlecRae, Inc. ("AlecRae") uses certain third-party service providers ("Subprocessors") to assist in providing the AlecRae platform. These Subprocessors may process personal data on behalf of our customers in accordance with our Data Processing Agreement and applicable data protection laws. This page lists all current Subprocessors, the nature of their services, and the data they process.
1. Current Subprocessors
The following Subprocessors are currently authorized to process personal data on behalf of AlecRae customers:
Subprocessor
Purpose
Location
Data Processed
Amazon Web Services (AWS)
Primary cloud infrastructure, compute, storage, and networking
United States (us-east-1, us-west-2), European Union (eu-west-1)
All customer data including email content, metadata, attachments, account information
Hetzner Online GmbH
European infrastructure, dedicated servers for EU data residency
Germany (Falkenstein, Nuremberg)
EU customer data including email content, metadata, attachments for EU-resident accounts
Cloudflare, Inc.
CDN, DDoS protection, DNS resolution, edge caching
Global (275+ data centers worldwide)
IP addresses, HTTP request metadata, cached static assets
Stripe, Inc.
Payment processing, billing, subscription management, fraud prevention
United States
Billing name, email address, payment method details, transaction history, IP address
Anthropic, PBC
AI/ML processing for spam detection, content classification, writing assistance
United States
Anonymized email content snippets, classification metadata (no raw email content or PII)
Grafana Labs
Monitoring, observability, log aggregation, alerting
United States
System logs, performance metrics, anonymized error traces (no customer email content)
2. Change Notification Process
AlecRae is committed to transparency regarding its use of Subprocessors. When we engage a new Subprocessor or make material changes to an existing Subprocessor's scope of data processing, we will notify customers through the following mechanisms:
a.
Email Notification. We will send an email notification to the account owner and designated data protection contact (if configured) at least 30 days before the new Subprocessor begins processing customer data.
b.
This Page. This Subprocessor List page will be updated with the new or modified Subprocessor details. The "Last Updated" date will reflect the most recent change.
c.
RSS/Webhook Feed. Customers may subscribe to an RSS feed or configure a webhook endpoint in their account settings to receive automated notifications of Subprocessor changes.
3. Objection Procedure
If you have a legitimate objection to our use of a new or modified Subprocessor, you may exercise your right to object as follows:
a.
Objection Window. You must submit your objection in writing within 30 calendar days of receiving the change notification. Objections must be sent to dpa@alecrae.com and must include a detailed explanation of the specific, reasonable grounds for the objection based on data protection concerns.
b.
Resolution Process. Upon receiving a valid objection, AlecRae will work in good faith to address your concerns. This may include: (i) providing additional information about the Subprocessor's data protection measures; (ii) implementing additional safeguards or restrictions on the Subprocessor's processing activities; or (iii) offering a commercially reasonable alternative configuration that avoids the use of the objected-to Subprocessor for your data.
c.
Escalation. If the parties are unable to resolve the objection within 30 days of the objection being raised, either party may escalate the matter in accordance with the dispute resolution provisions of the Data Processing Agreement. In certain circumstances, if resolution is not possible, you may have the right to terminate the affected services without penalty, subject to the terms of the DPA.
4. Data Protection Measures
All Subprocessors listed above are bound by contractual obligations that include:
(i)
Processing personal data only on documented instructions from AlecRae
(ii)
Implementing appropriate technical and organizational security measures
(iii)
Maintaining confidentiality obligations for all personnel with access to personal data
(iv)
Assisting AlecRae in responding to data subject rights requests
(v)
Deleting or returning all personal data upon termination of services
(vi)
Submitting to audits and inspections as required by applicable data protection laws
For Subprocessors located outside the European Economic Area, appropriate transfer mechanisms are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, supplementary measures as recommended by the EDPB.
To receive notifications of Subprocessor changes, configure your notification preferences in your Account Settings or subscribe to our Subprocessor RSS feed.
For questions about our Subprocessors or data processing practices, contact our Data Protection Officer at dpo@alecrae.com.