| Google Cloud Platform | Google Cloud EMEA Ltd. (IE) / Google LLC (US) | Hosting (Cloud Run, Cloud Functions, BigQuery, Firestore, Cloud Storage, Memorystore, Pub/Sub, Cloud Scheduler, Secret Manager, Cloud Logging). EEA region: europe-central2. | All categories | EU SCCs (2021/914) + EU-US DPF |
| Google Firebase Authentication | Google LLC (US) | User authentication (email/password and Google OAuth), session management, password hashing. Passwords never stored in plain text. | Identity (name, email, Firebase UID), session metadata | EU SCCs (2021/914) + EU-US DPF |
| Google Vertex AI | Google LLC (US) / EU region where available | AI inference (Claude Sonnet 4.6 via Vertex - primary path; legacy Gemini-based analytics). EU region by default. | AI prompts and responses, account identifier | EU SCCs (2021/914) + EU-US DPF; EU region by default |
| Anthropic | Anthropic PBC (US) | AI inference (Claude Sonnet 4.6) - direct path when not routed through Vertex, or fallback. Enterprise terms prohibit training on customer prompts. | AI prompts and responses, account identifier for rate-limiting and abuse prevention | EU SCCs (2021/914) + EU-US DPF (where certified) |
| Stripe | Stripe Payments Europe Ltd. (IE) / Stripe Inc. (US) | Subscription billing, payment processing, customer portal, invoice generation. Stripe acts as independent controller for payment-card data. | Billing identity (email, billing address, tax identifier), payment-method token (no full PAN), subscription and invoice metadata | EU SCCs (2021/914) + EU-US DPF |
| SendGrid (Twilio) | Twilio Inc. (US) | Transactional email: account invitations, password resets, security alerts, support replies, analytics digests. | Email address, message content, delivery and engagement metadata (opens, clicks) | EU SCCs (2021/914) + EU-US DPF |
| Bannerbear | Bannerbear (jurisdiction to be confirmed) | On-demand generation of product creatives from Customer-supplied templates and product feeds. Receives tenant_id as indirect identifier in webhook URL and metadata, plus product_id, product titles, prices, image URLs, and campaign context. No end-user PII unless product photography depicts identifiable people. | Customer-supplied product and campaign metadata (including tenant_id as an indirect identifier); no end-user PII in normal operation | DPA with Bannerbear in progress (Issue E); SCCs to be confirmed |
| Meta Platforms | Meta Platforms Ireland Ltd. (IE) | Reading advertising data (campaigns, ad sets, ads, spend, conversions, audience metadata) from Customer-connected Meta Ads accounts via the Graph API. Customer-initiated OAuth. Meta is an independent controller for the underlying advertising data. | Connected-account OAuth refresh token; ad performance, audience IDs | Controller-to-controller via Customer's connection |
| Google Ads | Google Ireland Ltd. (IE) | Reading advertising data from Customer-connected Google Ads accounts via the Google Ads API. Customer-initiated OAuth. Google is an independent controller for the underlying advertising data. | Connected-account OAuth refresh token; ad performance | Controller-to-controller via Customer's connection |
| TikTok | TikTok Information Technologies UK Ltd. (UK) / TikTok LLC (US) | Reading advertising data from Customer-connected TikTok Ads accounts via the Business API. Customer-initiated OAuth. TikTok is an independent controller for the underlying advertising data. | Connected-account OAuth refresh token; ad performance | Controller-to-controller via Customer's connection |
| GitHub | GitHub, Inc. (Microsoft Corporation) (US) | Source-code hosting, issue tracking, and CI/CD pipelines. No Customer Personal Data in normal operation. | Operational metadata only | EU SCCs (2021/914) + EU-US DPF |
