Subprocessors
Last updated: May 3, 2026
Phoenix Horizon, Inc. ("Phoenix") uses the third-party subprocessors listed below to deliver its products and services (Rush, Prix, and the Phoenix corporate site). Each subprocessor is bound by a written agreement that requires equivalent security and confidentiality protections to those that Phoenix provides under its own Privacy Policy and Terms of Service.
Change notice. We will give existing customers at least 30 days' notice before adding or replacing a Critical or High tier subprocessor that processes customer personal data. Notices are posted on this page and emailed to account owners. Customers may object by contacting [email protected] within the notice period.
Cross-border transfers.Where a subprocessor is established outside the EEA or the UK, transfers are governed by the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by encryption in transit and at rest.
Tiers. Critical = handles customer data on the production path; SOC 2 Type 2 + DPA required. High= handles operational data on Phoenix's behalf; SOC 2 Type 2 or ISO 27001 + DPA required. Lower-tier vendors invoked by specific user-installed agents are listed in the respective product's subprocessor page.
| Subprocessor | Purpose | Region | Attestation | Tier |
|---|---|---|---|---|
| Supabase | Managed Postgres (sessions metadata, usage metrics, audit logs, accounts) | EU (or US — see notice below) | SOC 2 Type 2 | Critical |
| Hetzner | Compute infrastructure for api.prix.dev | Germany (EU) | ISO 27001 | Critical |
| Cloudflare | CDN, DNS, R2 object storage, Origin CA, Workers | Global anycast | SOC 2 Type 2; ISO 27001/27018; PCI | Critical |
| Stripe | Payments and subscription billing | United States (global) | SOC 2 Type 2; PCI DSS Level 1 | Critical |
| Anthropic | LLM inference (Claude family) routed through our proxy | United States | SOC 2 Type 2 | Critical |
| OpenAI | LLM inference routed through our proxy | United States | SOC 2 Type 2 | Critical |
| OpenRouter | LLM routing fallback | United States | Self-attested | Critical |
| OAuth and Gmail / Calendar / Sheets API access (when user authorizes) | United States / global | SOC 2 Type 2; ISO 27001/27018 | Critical | |
| Microsoft | OAuth and Microsoft 365 API access (when user authorizes) | United States / EU | SOC 2 Type 2; ISO 27001 | Critical |
| Slack | OAuth (workspace integration) when user authorizes | United States | SOC 2 Type 2; ISO 27001 | High |
| Twitter (X) | OAuth when user authorizes | United States | SOC 2 Type 2 | High |
| Notion | OAuth when user authorizes | United States | SOC 2 Type 2 | High |
| WorkOS | Single sign-on for organisations | United States | SOC 2 Type 2 | Critical |
| 1Password Business | Encrypted secrets vault for production secrets | Per tenant | SOC 2 Type 2 | Critical |
| Tailscale | Zero-trust overlay network for administrative access | Global | SOC 2 Type 2 | Critical |
| GitHub | Source code and CI | United States | SOC 2 Type 2 | High |
| Better Stack | Centralized log storage | EU | SOC 2 Type 2 | High |
| Resend | Transactional and operational email | United States | SOC 2 Type 2 | High |
| Grafana Cloud | Metrics dashboards and alerting | United States / EU | SOC 2 Type 2; ISO 27001 | High |
| PostHog | Product analytics (subject to your consent) | United States / EU | SOC 2 Type 2 | High |
| Sentry | Crash and error reports | United States | SOC 2 Type 2 | High |
| Telegram | Operational alerts only — no customer content; migration to PagerDuty in progress | Global | Self-attested | High |
| Sendblue | iMessage gateway for outbound notifications | United States | Self-attested | High |
Questions or objections
Contact [email protected] with any question about a subprocessor. We respond within 30 days.