HOA-OS Sub-Processors

Effective: May 27, 2026

Below is the complete list of sub-processors HOA-OS uses to operate the Service. Each is contractually bound by a Data Processing Agreement (DPA) with confidentiality and security commitments at least as strict as those in our Privacy Policy.

VendorCategoryData handledRegionCompliance
VercelCloud hosting, edge networkingRequest metadata, encrypted application trafficGlobal edge; primary compute in US-EastSOC 2 Type II, ISO 27001
SupabaseManaged Postgres, authentication, file storage, secrets vaultAll persisted application data (encrypted at rest)US-West-2 (preview), Oregon (prod)SOC 2 Type II
StripePayment processing (subscriptions + HOA dues)Payment card metadata (full PAN never touches our servers)GlobalPCI DSS Level 1, SOC 2
PlaidBank account linking and read-only transaction sync (opt-in)Bank account metadata + transaction history for connected accountsUSSOC 2 Type II, ISO 27001
AnthropicAI inferenceAI prompts + responses. PII is pre-stripped only on the form-response and violation AI-review surfaces; chatbot, newsletter, and budgeting surfaces pass authenticated-user context through under Anthropic's Zero Data Retention agreement.USSOC 2 Type II
ResendTransactional and newsletter email deliveryRecipient email addresses + message bodiesUS + EUSOC 2 Type II
TwilioSMS notification delivery (opt-in)Recipient phone numbers + message textGlobalSOC 2 Type II
LobPhysical mail delivery (opt-in)Recipient mailing addresses + letter contentsUSSOC 2 Type II
CloudflareDNS and bot protection (Turnstile)Request headers, Turnstile challenge tokensGlobal edgeSOC 2 Type II, ISO 27001
SentryError monitoringError stack traces, request context (with PII scrubbing)USSOC 2 Type II
Voyage AIEmbedding generation for vector searchDocument text passages for embedding (no user account data)USNot publicly certified at time of writing
PexelsStock photography for community websitesSearch query strings only; no customer dataGlobal CDNNot publicly certified at time of writing
UpstashRate-limiting infrastructure (Redis)IP addresses + request countersGlobalSOC 2 Type II
Meta PlatformsAdvertising measurement (Meta Pixel)Page views + Lead/Subscribe events from public marketing + post-checkout pages only (no PII passed; see Privacy Policy §11)GlobalSOC 2 Type II, ISO 27001
GoogleMaps and Places APIs (address autocomplete + sponsor location data)User-typed address fragments during autocomplete; no account identifiers attachedGlobalISO 27001, SOC 2, SOC 3

We notify active organization administrators by email of any material changes to this list before they take effect.

This page is intentionally excluded from search engines (robots: noindex, nofollow) and rate-limited at our proxy to deter automated enumeration. Trusted parties should bookmark this URL or request updates from support@hoa-os.com.