Legal
Subprocessors
These are the third-party service providers we engage to help deliver Maintn. Each processes only the data needed for its purpose, under our instructions.
Last updated: 16 June 2026
We keep this list current as our service evolves and give notice before a new subprocessor begins processing data. Regions and certifications below are being verified against each vendor’s current trust page. For how we handle your information generally — including overseas disclosure — see our Privacy Policy and Data Residency Assurance.
| Name | Purpose | Data categories | Location | Certifications |
|---|---|---|---|---|
| Supabase | Database, authentication + storage | Operator, team, tenant + agency data; photos; voice records | AWS ap-southeast-2 (Sydney, AU); corp US | SOC 2 Type II; HIPAA (AWS underlay: ISO 27001, PCI DSS) |
| Vercel Inc | Application hosting + edge functions | Request data in transit; transient compute | AU edge + US origin | SOC 2 Type II; ISO 27001 |
| Stripe Payments Australia Pty Ltd | Subscription billing + payments | Billing contact, card tokens (no full PAN stored), payment metadata | Australia (entity of record) + global | PCI DSS Level 1; SOC 1/2; ISO 27001 |
| Vapi Inc | AI voice answering | Phone numbers, call audio + transcripts | United States | SOC 2 Type II (verify) |
| Twilio Inc | SMS messaging + telephony | Phone numbers + message content | United States / AU presence | SOC 2 Type II; ISO 27001; PCI DSS |
| Postmark (ActiveCampaign) | Transactional email | Email addresses + email content | United States | SOC 2 Type II |
| Sentry (Functional Software Inc) | Application error monitoring | IP, diagnostic data, error context (PII scrubbed) | United States | SOC 2 Type II; ISO 27001 |
| PostHog Inc | Privacy-first product analytics (consent-gated) | Pseudonymous usage events; no IP stored | EU Cloud (Frankfurt) | SOC 2 Type II; HIPAA |
| Cloudflare Inc | DNS + CDN | IP addresses + traffic metadata | United States / global edge | SOC 2 Type II; ISO 27001; PCI DSS |
| Anthropic | AI assistant (Claude API) | Task-specific content sent at use time | United States | SOC 2 Type II (no training on API data) |
Supabase
- Purpose
- Database, authentication + storage
- Data
- Operator, team, tenant + agency data; photos; voice records
- Location
- AWS ap-southeast-2 (Sydney, AU); corp US
- Certs
- SOC 2 Type II; HIPAA (AWS underlay: ISO 27001, PCI DSS)
Vercel Inc
- Purpose
- Application hosting + edge functions
- Data
- Request data in transit; transient compute
- Location
- AU edge + US origin
- Certs
- SOC 2 Type II; ISO 27001
Stripe Payments Australia Pty Ltd
- Purpose
- Subscription billing + payments
- Data
- Billing contact, card tokens (no full PAN stored), payment metadata
- Location
- Australia (entity of record) + global
- Certs
- PCI DSS Level 1; SOC 1/2; ISO 27001
Vapi Inc
- Purpose
- AI voice answering
- Data
- Phone numbers, call audio + transcripts
- Location
- United States
- Certs
- SOC 2 Type II (verify)
Twilio Inc
- Purpose
- SMS messaging + telephony
- Data
- Phone numbers + message content
- Location
- United States / AU presence
- Certs
- SOC 2 Type II; ISO 27001; PCI DSS
Postmark (ActiveCampaign)
- Purpose
- Transactional email
- Data
- Email addresses + email content
- Location
- United States
- Certs
- SOC 2 Type II
Sentry (Functional Software Inc)
- Purpose
- Application error monitoring
- Data
- IP, diagnostic data, error context (PII scrubbed)
- Location
- United States
- Certs
- SOC 2 Type II; ISO 27001
PostHog Inc
- Purpose
- Privacy-first product analytics (consent-gated)
- Data
- Pseudonymous usage events; no IP stored
- Location
- EU Cloud (Frankfurt)
- Certs
- SOC 2 Type II; HIPAA
Cloudflare Inc
- Purpose
- DNS + CDN
- Data
- IP addresses + traffic metadata
- Location
- United States / global edge
- Certs
- SOC 2 Type II; ISO 27001; PCI DSS
Anthropic
- Purpose
- AI assistant (Claude API)
- Data
- Task-specific content sent at use time
- Location
- United States
- Certs
- SOC 2 Type II (no training on API data)
Changes to this list
We may add or replace subprocessors as the service grows. Material changes will be reflected here with an updated date. Questions about a specific subprocessor can be directed to privacy@maintn.com.au.