Last updated: May 2026
1. Purpose of This Page
Stark Chat engages a small number of trusted third parties ("Sub-processors") to help us deliver our services. This page lists every Sub-processor that may process Personal Data processed on behalf of our customers, in line with section 7 of our Data Processing Agreement.
2. Current Sub-processors
The table below reflects the Sub-processors currently engaged. Customers can subscribe to changes by emailing privacy@starkchat.com.
| Sub-processor | Purpose | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| AWS Amazon Web Services, Inc. | Cloud infrastructure hosting our application, databases, storage, authentication, message queues, and large-language-model inference (Amazon Bedrock). | Customer content, account data, and application logs. | eu-west-2 (London, United Kingdom) for application infrastructure; eu-west-1 (Ireland) and eu-west-2 (London) for Amazon Bedrock cross-region inference profiles. There is no fallback to non-EU regions. | Data remains within the United Kingdom and European Economic Area. AWS does not use, and contractually requires foundation-model providers not to use, customer prompts or completions to train any models. |
| Pinecone Pinecone Systems, Inc. | Managed vector database — stores dense and sparse embeddings of your content and associated metadata for hybrid retrieval. | Vector embeddings of content chunks and associated chunk metadata (such as source identifiers and document references). | United States | EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Where Pinecone is currently certified under the EU–US Data Privacy Framework, that framework provides an additional safeguard. |
| Stripe Stripe Payments Europe, Ltd. | Payment processing for subscriptions, invoicing, and tax handling. The relationship is split: Stripe acts as our Sub-processor for billing-contact metadata, and as an independent Controller for full payment-card data, which we never receive or store. | Billing contact details (account email and company name) and Stripe customer/subscription/invoice identifiers. Stark Chat does not collect or transmit full card data — Stripe collects card data directly from the cardholder as an independent Controller. | Ireland and United States | EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Where Stripe is currently certified under the EU–US Data Privacy Framework, that framework provides an additional safeguard. |
| Sentry Functional Software, Inc. (Sentry) | Application error monitoring and performance telemetry for incident detection and debugging. | Technical error data, stack traces, pseudonymous user identifiers, IP address, browser metadata. | United States | EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Where Sentry is currently certified under the EU–US Data Privacy Framework, that framework provides an additional safeguard. |
| Cloudflare Cloudflare, Inc. | DNS management for customer custom domains via the Cloudflare Custom Hostnames API. Stark Chat application traffic is served via AWS CloudFront and Route 53; no application or customer content traffic transits Cloudflare. | Customer-supplied custom-hostname records and the metadata required to provision SSL certificates for those hostnames. | Global anycast network with EU and US presence | EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Where Cloudflare is currently certified under the EU–US Data Privacy Framework, that framework provides an additional safeguard. |
| Firecrawl Mendable AI, Inc. (Firecrawl) | Web-page fetching and conversion to markdown when a Controller adds a public URL as a document source. Controllers should not submit URLs they consider confidential — the URL itself, including any tokens or path segments, is sent to Firecrawl. | URLs submitted by the Controller and the public web content returned for those URLs. No account credentials or private application content are sent. | United States | EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Where Firecrawl is currently certified under the EU–US Data Privacy Framework, that framework provides an additional safeguard. |
3. Customer-Authorised Integrations
Stark Chat allows Controllers to connect their own third-party accounts as document sources — for example Google Drive, Microsoft OneDrive, Dropbox, and Notion. These providers are not our Sub-processors: they are independent controllers of the source data, and the Controller authorises Stark Chat to retrieve content from them via OAuth. Once content is retrieved, it is processed by the Sub-processors listed in section 2 above. The Controller is responsible for the lawful basis on which it grants Stark Chat access to those sources.
4. Service Providers Not Listed Above
Stark Chat also engages other providers — including Mixpanel, Google Analytics, Google Ads, and Cookiebot — for our own product analytics, advertising measurement, and consent management. For these tools, Stark Chat is the Controller of the limited operational and product-usage data collected about end users of our marketing and product surfaces; we do not route customer-uploaded content through them on behalf of our customers. They are therefore not Sub-processors under this DPA, and are disclosed in our Privacy Policy.
5. Notification of Changes
We will give customers at least 30 days' prior notice before adding or replacing a Sub-processor that processes Personal Data on their behalf. Notice will be given by updating this page and by email to the registered account contact. Customers may object to a proposed change in writing within 14 days of receiving notice, in accordance with section 7.2 of the Data Processing Agreement.
6. Affiliates
Where a Sub-processor uses its own group affiliates to deliver the service (for example AWS regional entities), those affiliates are bound by the same data-processing terms as the named Sub-processor.
7. Contact
For any questions about our Sub-processors, our cross-border transfer mechanisms, or to request a copy of the relevant Standard Contractual Clauses, please contact privacy@starkchat.com.