Sub-processors
govn.ai uses the third-party services listed below to provide the platform. Each sub-processor is contractually bound to the protections in our Data Processing Agreement with you, including the obligation to process personal data only on the documented instructions of govn.ai (acting on your behalf).
We will notify you by email at least 14 days before adding, removing, or substituting any sub-processor. If you object to a change you may terminate the affected service in accordance with the Terms of Service.
| Sub-processor | Purpose | Primary jurisdiction |
|---|---|---|
Vercel, Inc. Their DPA | Application hosting and edge delivery (Next.js host). Data: Request metadata (IP, headers), application logs, customer data in transit. | United States (data in EU/UK regions where supported) |
Neon Inc. Their DPA | Managed PostgreSQL database. Primary customer data store. Data: All customer data stored in the application database (user accounts, use cases, incidents, policies, audit log). | European Union (Frankfurt) |
Clerk, Inc. Their DPA | User authentication, organisation membership, MFA. Data: User identity (name, email), authentication factors (TOTP secrets, recovery codes), organisation membership metadata. | United States |
Resend, Inc. Their DPA | Transactional and digest email delivery. Data: Recipient name and email, subject line, email body (notifications, attestation requests, board pack distributions). | United States |
Functional Software, Inc. dba Sentry Their DPA | Application error tracking and performance monitoring. Data: Error stack traces, request metadata, user id and email where available. Customer-data values are scrubbed before transmission where possible. | European Union (Frankfurt region selected) |
PostHog Inc. Their DPA | Product analytics (page views, feature usage). Only loaded after the visitor accepts the analytics cookie. Data: Pseudonymous visitor id, page views, feature events, browser metadata. No personal data unless the visitor identifies themselves to the platform. | European Union (EU cloud option selected) |
Inngest, Inc. Their DPA | Background job scheduling and execution (cron jobs, async exports). Data: Event payloads passed to background jobs — typically include entity identifiers, never raw customer-data values. | United States |
Vercel Blob (Vercel, Inc.) Their DPA | File storage — policy attachments, evidence pack PDFs, board pack PDFs. Data: Customer-uploaded files (governance evidence, policy drafts, board pack exports). | United States (data in EU/UK regions where supported) |
International transfers
Where personal data is processed outside the United Kingdom, we rely on the UK Government's adequacy decisions where they exist (e.g. the EU) or on the UK International Data Transfer Agreement (IDTA) where they don't (e.g. the United States). The relevant transfer mechanism is set out in each sub-processor's DPA.
Questions
Email privacy@govn.ai.