IsoKron Sub-processors
Last updated: 2026-05-13
This page lists the sub-processors IsoKron uses to operate the IsoKron platform at isokron.ai (the "Service"). Each sub-processor is bound to confidentiality and security obligations consistent with the IsoKron Privacy Policy and Data Processing Agreement.
Current sub-processors
| # | Name | Purpose | Location of processing | DPA / SCCs |
|---|---|---|---|---|
| 1 | Supabase, Inc. | Postgres database, BYOK key encryption (Vault), authentication integration | United States | Supabase DPA + EU SCCs Module 3 |
| 2 | Cloudflare, Inc. | Cold-tier audit log archival (R2), edge networking | Global (origin: United States) | Cloudflare DPA + EU SCCs Module 3 |
| 3 | Clerk, Inc. | Identity and authentication (workspaces map to Clerk organizations) | United States | Clerk DPA + EU SCCs Module 3 |
| 4 | Doppler, Inc. | Operator-side secret management. Does NOT touch customer personal data — operates only on IsoKron-internal credentials. | United States | Doppler DPA |
| 5 | Fly.io, Inc. | Application hosting (api, worker, cron containers) | Multi-region (operator selects) | Fly.io DPA + EU SCCs Module 3 |
| 6 | Resend, Inc. | Transactional email (account notifications, BYOK rotation, compilation status, security alerts) | United States | Resend DPA + EU SCCs Module 3 |
| 7 | Anthropic, PBC | Layer 4 security Critic (operator-paid). Processes the compiled graph — not the customer's BYOK key — for safety review before compilation commit. | United States | Anthropic DPA + EU SCCs Module 3 |
| 8 | PurelyMail LLC | Outbound SMTP for operator-side notifications (new-signup alerts to the IsoKron team). Domain-verified for isokron.ai. | United States | PurelyMail terms of service |
Notes on what each sub-processor sees
- Supabase sees: account profile data, customer content (declarations, reference documents, customer review responses), audit log entries, telemetry, encrypted BYOK ciphertext (never plaintext).
- Cloudflare sees: audit log entries archived to R2 (encrypted at rest); request metadata at the edge (for DDoS protection). No customer content passes through Cloudflare unencrypted.
- Clerk sees: account profile data, authentication metadata, organization membership.
- Doppler sees: operator-internal API keys (Anthropic critic key, Resend API key, etc.). Never sees customer data, never sees BYOK keys.
- Fly.io sees: process memory and outbound traffic for IsoKron application containers. Decrypted BYOK keys are held in memory for milliseconds during stage invocation, then zeroed.
- Resend sees: customer email address, sender name, transactional email content (template-rendered).
- PurelyMail sees: operator-team email addresses and the body of operator-internal notifications (e.g. "new signup captured: ‹email›"). Does NOT see customer-facing transactional email content — that path stays on Resend. Domain-verified SMTP only.
- Anthropic sees: the compiled graph (Stages 1-6 outputs) the Critic evaluates, plus security context (workspace-aged-days, compilation count, etc.). The Critic does NOT see the raw customer declaration; the operator-Anthropic relationship uses an IsoKron-owned credential, not the customer's BYOK key.
Upstream language-model providers (BYOK)
When you direct IsoKron to invoke an upstream language-model provider using your BYOK key, that provider receives the prompt content (your declaration plus stage-specific context) and processes it under its own terms of service and privacy policy. The upstream providers IsoKron supports are:
- Anthropic (Claude family, BYOK customer key)
- OpenAI (GPT family)
- Google AI (Gemini family)
- xAI (Grok family)
You select the upstream provider per workspace by configuring your BYOK key. IsoKron does not act as your data controller for those upstream invocations; you are. If you have data-protection obligations relating to the upstream provider's use of your data (for example, training-on-data settings), you are responsible for configuring your account with the provider accordingly.
Change notice
We will provide at least 30 days' advance notice of any addition or replacement of a sub-processor by:
- Updating this page with the new sub-processor and effective date.
- Sending an in-product or email notice to the workspace owner.
EU/UK customers may object during the 30-day window. If we cannot resolve the objection in good faith, you may terminate the affected portion of the Service on written notice.
Change log
- 2026-05-13 — Added PurelyMail LLC (sub-processor #8) for outbound SMTP delivering operator-internal new-signup notifications. The previous Formspree-hosted email-capture endpoint was retired the same day; Formspree never had access to customer data in production (the integration was landing-page only and not generally available) so it was not previously listed.
- 2026-05-09 — Initial publication. Seven sub-processors listed above.
Contact
Questions about sub-processors: privacy@isokron.ai