Skip to main content

Our Vendor Commitment

At Cleft, we carefully select third-party vendors who share our commitment to data protection and user privacy. This page provides complete transparency about all 37 vendors we work with.
Last Updated: September 10, 2025
Effective: September 10, 2025
All vendors meet our strict data protection standards and comply with GDPR, CCPA, and other applicable privacy regulations.

Vendor Overview

Vendors Handling Personal Data

19 vendors process personal identifiable information (PII)These vendors handle customer data like notes, account info, or payment details. All have signed Data Processing Agreements.

Business Operations Only

18 vendors handle no personal customer dataThese vendors support our business operations, marketing, and development but never access your personal information.

Vendors Processing Personal Data

High Privacy Standards: These 19 vendors handle personal identifiable information (PII) and are subject to our strictest data protection requirements.

Cloud Infrastructure & Data Processing

Services: Hosting and managing cloud infrastructure
PII Handling: βœ… Yes - Hosts encrypted user data
Data Centers: EU, Global (multiple locations)
HQ: Seattle, Washington, USA
Links: Homepage | Privacy | DPA
What They Access: Secure hosting infrastructure only. AWS provides encrypted storage but cannot access your actual notes or content.
Services: Developing and distributing applications through the Apple ecosystem
PII Handling: βœ… Yes - App Store account data and on-device processing
Data Centers: Global (multiple locations)
HQ: Cupertino, California, USA
Links: Homepage | Privacy | DPA
What They Access: Whisper transcription model runs locally on your device. Apple handles App Store transactions but doesn’t access your Cleft content.
Services: CDN, DNS, and DDoS protection services
PII Handling: βœ… Yes - Website traffic and DNS queries
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPA
What They Access: Website traffic patterns and DNS queries only. No access to Cleft content or user data.

AI Processing Partners

Services: Primary LLM provider for note enhancement
PII Handling: βœ… Yes - Processes transcript text only
Data Centers: Not specified
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPA
What They Access: Transcript text only (never audio) for AI processing. Your data is never used for model training.
Services: Backup LLM provider to ensure service reliability
PII Handling: βœ… Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: Mountain View, California, USA
Links: Homepage | Privacy | Terms
What They Access: Alternative AI processor for text enhancement. Same privacy protections as OpenAI.
Services: Additional AI processing capabilities
PII Handling: βœ… Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Processes transcript text for note enhancement. Strict no-training policy on user data.

Payment & Billing

Services: Handling online transactions securely
PII Handling: βœ… Yes - Payment processing (PCI compliant)
Data Centers: Not specified
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Legal
What They Access: Payment processing only. We never see your actual payment details.
Services: Managing in-app subscriptions and purchases
PII Handling: βœ… Yes - Subscription data and analytics
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Subscription management and analytics. No access to your notes or content.
Services: Business banking and financial services
PII Handling: βœ… Yes - Financial transactions and account data
Data Centers: EU
HQ: London, United Kingdom
Links: Homepage | Privacy | Terms
What They Access: Internal business banking transactions only. No customer data or personal information.

Customer Management & Communications

Services: Managing marketing activities and customer interactions
PII Handling: βœ… Yes - Contact info and support interactions
Data Centers: EU
HQ: Cambridge, Massachusetts, USA
Links: Homepage | Privacy
What They Access: Contact information and customer support interactions only.
Services: Conducting email marketing campaigns
PII Handling: βœ… Yes - Email addresses for marketing (opt-in)
Data Centers: Global (multiple locations)
HQ: Vilnius, Lithuania
Links: Homepage | Privacy | Terms
What They Access: Email addresses for newsletter delivery only (opt-in). No access to personal content.

Business Intelligence & Monitoring

Services: Communication, document creation, and collaboration
PII Handling: βœ… Yes - Internal business communications
Data Centers: EU
HQ: Mountain View, California, USA
Links: Homepage | Privacy | DPA
What They Access: Internal team communications only. No user data processing.
Services: Analysing business data and generating reports
PII Handling: βœ… Yes - Aggregated business analytics
Data Centers: EU (self-hosted)
HQ: N/A (open-source project)
Links: Homepage | Privacy | Terms
What They Access: Aggregated business metrics only. No individual user data.
Services: Team password management and secure credential storage
PII Handling: βœ… Yes - Internal team credentials and access management
Data Centers: EU
HQ: Toronto, Ontario, Canada
Links: Homepage | Privacy | Terms
What They Access: Internal team passwords and credentials only. No customer data or personal information.
Services: Monitoring and resolving application errors
PII Handling: βœ… Yes - Error logs (no personal content)
Data Centers: Not specified
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Application error logs only. No personal content included in crash reports.

Website & Design Services

Services: Designing and hosting our public-facing website and forms
PII Handling: βœ… Yes - Website form submissions
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Website contact forms and landing page interactions only.
Services: Enhancing user experience through design consulting
PII Handling: βœ… Yes - Design consultation materials
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Design assets and user experience materials only.
Services: Domain registration and DNS management
PII Handling: βœ… Yes - Domain registration information
Data Centers: Global (multiple locations)
HQ: Phoenix, Arizona, USA
Links: Homepage | Privacy | Terms
What They Access: Domain registration details and DNS configuration only.

Scheduling & Automation

Services: Form building and data collection (replaces SavvyCal)
PII Handling: βœ… Yes - Form submissions and contact information
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Form submissions and scheduling data only.
Services: Automating workflows across different tools
PII Handling: βœ… Yes - Integration data flows
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Only data flows you explicitly configure in integrations.

Business Operations Vendors

No Personal Data: These 18 vendors support our business operations, marketing, and development but never access your personal information or content.

Social Media & Marketing

Services: Social media marketing and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Social media marketing and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Social media marketing, talent and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Social media marketing and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Social media marketing and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Social media marketing and brand engagement
PII Handling: ❌ No - Marketing only
Links: Homepage | Privacy
Services: Link management and branded short URLs
PII Handling: ❌ No - Link shortening only
Links: Homepage | Privacy | Terms

Development & Collaboration

Services: Managing source code and collaboration
PII Handling: ❌ No - Code repository only
Links: Homepage | Privacy
Services: Facilitating internal communication and collaboration
PII Handling: ❌ No - Internal team communication only
Links: Homepage | Privacy
Services: Designing user interfaces collaboratively
PII Handling: ❌ No - Design files only
Links: Homepage | Privacy

Documentation & Content

Services: Documentation platform hosting (replaced GitBook)
PII Handling: ❌ No - Documentation content only
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | Terms
What They Access: Public documentation content only.
Services: Product video creation
PII Handling: ❌ No - Video production only
Links: Currently no website listed

Media & Podcast

Services: Hosting and distributing podcasts
PII Handling: ❌ No - Podcast hosting only
Links: Homepage | Privacy
Services: Audio and video editing
PII Handling: ❌ No - Content editing only
Links: Homepage | Privacy

Analytics (Anonymous Only)

Services: Collecting website analytics with a focus on privacy
PII Handling: ❌ No - Anonymous analytics only
Links: Homepage | Privacy
What They Track: Anonymous page views on our documentation site only. No personal data collected.
Services: In-app anonymous analytics and performance monitoring
PII Handling: ❌ No - Anonymous analytics only (no PII passed)
Data Centers: EU (Germany)
HQ: WΓΌrzburg, Germany
Links: Homepage | Privacy | Terms
What They Track: Anonymous app usage patterns and performance metrics only. Zero personal information.

Vendor Data Practices

Our vendors are contractually required to:
  • Retain data only as long as necessary for service delivery
  • Delete data upon our request
  • Follow the same data retention policies we maintain
All vendors must:
  • Encrypt data in transit and at rest
  • Maintain SOC 2 Type II compliance or equivalent
  • Undergo regular security audits
  • Report any security incidents within 24 hours
Vendor access to your data is:
  • Limited to what’s necessary for service delivery
  • Logged and monitored
  • Subject to strict confidentiality agreements
  • Never used for vendor’s own purposes
  • Detailed above for each specific vendor

Vendor Selection Process

We maintain strict criteria when selecting third-party vendors to ensure the highest level of data protection:
  • Privacy Standards: GDPR, CCPA, and international privacy law compliance
  • Security Certifications: We prefer and prioritize vendors who align with the following certifications:
    • SOC 2 Type II compliance
    • ISO 27001 certification
    • Other recognized industry security standards
  • Data Processing Agreements: Clear contractual obligations about data handling
  • Incident Response: Proven track record of security and transparency
  • Business Continuity: Financial stability and reliable service delivery
Our Commitment: We actively seek vendors with the strongest security posture and will migrate to more secure alternatives when they become available.

Data Processing & Vendor Compliance

Vendor DPA Requirements

We ensure all vendors handling personal data have appropriate data protection measures:
  • DPA Verification: We verify that vendors have comprehensive Data Processing Agreements available that specify:
    • Permitted uses of your data
    • Data security requirements
    • Incident notification procedures
    • Data subject rights fulfillment
    • Audit and compliance obligations
  • Contractual Protections: Where direct DPAs aren’t signed, we ensure contractual terms include equivalent data protection commitments
  • Ongoing Monitoring: Regular review of vendor compliance and security practices

Cleft’s Data Processing Agreement

Transparent DPA Available

No Request Needed - Publicly AvailableCleft’s complete Data Processing Agreement is transparently available to all customers:πŸ“„ View Our DPA: Data Processing Agreement
πŸ“§ Questions: [email protected] with β€œDPA” in subject line
🏒 Customer Support: Audit rights and compliance assistance available
What’s Included: Controller/Processor roles, security measures, data transfers, incident response, audit rights, and complete data handling transparency.

Your Rights Regarding Vendor Data

You have the right to:
  • Know which vendors process your data
  • Request deletion of your data from all vendors
  • Receive copies of vendor DPAs upon request
  • Be notified of any vendor data breaches
  • Opt-out of specific vendor services where possible

Vendor Updates

We regularly review our vendor relationships and may:
  • Add new vendors to improve our services
  • Remove vendors that no longer meet our standards
  • Update vendor data processing terms
  • Notify users of significant vendor changes
If you have concerns about any of our vendors or their data practices, please contact our Data Protection Officer at [email protected].

Contact Information

For questions about our vendors or data processing:

Quick Reference

Total Vendors: 37
Handle Personal Data: 19 vendors
Business Operations Only: 18 vendors
Last Updated: September 10, 2025
All DPAs Available: Upon request to [email protected]

This page was last updated on September 18, 2024. We’ll notify users of any material changes to our vendor relationships.