Trust Center
Subprocessor list
Counsel review pending: This page lists core infrastructure subprocessors only. External threat-intelligence APIs (e.g. exposure and breach data providers configured in your deployment) will be added after legal review. Notify security@scrypex.com to receive updates when the list changes.
Core subprocessors (published)
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Primary database, authentication, and file storage for the SCRYPEX application | Account email, workspace configuration, findings, audit logs, encrypted integration secrets | United States (provider region; confirm in order form) |
| Vercel | Dashboard and API hosting, serverless execution, edge delivery | HTTP request metadata, application logs, environment configuration | United States / global CDN (provider) |
| Railway | Background detection workers and scheduled scan jobs | Worker configuration, operational logs, queued job metadata (tenant-scoped) | United States (provider) |
| Anthropic | AI-assisted finding enrichment and remediation narrative generation | Finding titles, severity, and contextual metadata sent for enrichment (not full credential plaintext) | United States (provider) |
| Resend | Transactional email delivery (alerts, account, and product notifications) | Recipient email addresses, alert subject/body content | United States (provider) |
| Sentry | Application error monitoring and performance diagnostics | Scrubbed stack traces, request paths, release metadata | United States (provider) |
| Stripe | Subscription billing and one-time add-on payments | Billing contact, payment method tokens (handled by Stripe), invoice metadata | United States (provider) |
Threat-intelligence & scan providers (not yet enumerated)
SCRYPEX queries external threat-intelligence and exposure APIs (configured per deployment) using your monitored domains and IPs. Those providers are not listed here until counsel completes a subprocessor review. No customer portal passwords are sent to intel APIs.
Operators configure API keys per deployment (see deployment environment documentation). Queries use monitored domains, hostnames, and IPs — not end-user portal passwords.