BeanStack uses the following third-party subprocessors to provide our services. A subprocessor is any entity that processes personal data or customer financial data under BeanStack's instructions.
We maintain contractual data processing agreements (DPAs) with each subprocessor that include the obligations required by GDPR Article 28. We conduct due diligence on all subprocessors before onboarding.
We will notify customers of any material changes to this list with at least 14 days' notice by email or in-app notification, giving customers the opportunity to object before changes take effect.
Infrastructure & Hosting
| Subprocessor | Purpose | Data Location | |---|---|---| | Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, networking | United States, EU (EU customers) | | Supabase | Authentication, PostgreSQL database, realtime | United States, EU (EU customers) | | Vercel | Frontend hosting, CDN, edge network | United States, EU | | Railway | API server hosting, background workers | United States |
AI & Machine Learning
| Subprocessor | Purpose | Data Location | |---|---|---| | OpenAI | AI language model processing (document extraction, financial analysis, chat) | United States | | Anthropic | AI language model processing (alternative model provider) | United States | | Google (Vertex AI) | AI language model processing (alternative model provider) | United States, EU |
Note on AI processing: BeanStack sends only the minimum required data to AI providers to fulfill a specific task. We maintain data processing agreements with all AI providers. No AI provider is permitted to use your financial data to train their models.
Financial & Banking
| Subprocessor | Purpose | Data Location | |---|---|---| | Stripe | Payment processing, subscription billing, invoicing | United States, EU | | Plaid | Bank account connection, transaction data retrieval | United States |
Communications & Support
| Subprocessor | Purpose | Data Location | |---|---|---| | Resend | Transactional email delivery (notifications, reports, invoices) | United States | | Intercom | Customer support, in-app messaging | United States |
Monitoring & Observability
| Subprocessor | Purpose | Data Location | |---|---|---| | Sentry | Error monitoring, crash reporting | United States, EU | | PostHog | Product analytics (anonymized usage data) | EU (EU Cloud) | | Temporal Technologies | Workflow orchestration | United States |
Document Processing
| Subprocessor | Purpose | Data Location | |---|---|---| | AWS Textract | OCR and document text extraction | United States | | Azure Form Recognizer | Document understanding, structured data extraction | United States, EU |
Data Processing Agreements
BeanStack has executed Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with all subprocessors that transfer data outside the EEA. Copies of our DPAs with subprocessors are available on request.
To request a copy of a specific DPA or to raise an objection to a subprocessor, contact us at privacy@beanstack.ai.
Changes to This List
| Date | Change | |------|--------| | March 2026 | Initial publication |