> ## Documentation Index > Fetch the complete documentation index at: https://learn.cleftnotes.com/llms.txt > Use this file to discover all available pages before exploring further. # Third-Party Vendors > Complete transparency about all vendors we work with and how they handle your data ## Our Vendor Commitment At Cleft, we carefully select third-party vendors who share our commitment to data protection and user privacy. This page provides complete transparency about all 37 vendors we work with. **Last Updated**: September 10, 2025\ **Effective**: September 10, 2025 All vendors meet our strict data protection standards and comply with GDPR, CCPA, and other applicable privacy regulations. ## Vendor Overview **19 vendors** process personal identifiable information (PII) These vendors handle customer data like notes, account info, or payment details. All have signed Data Processing Agreements. **18 vendors** handle no personal customer data These vendors support our business operations, marketing, and development but never access your personal information. *** ## Vendors Processing Personal Data **High Privacy Standards**: These 19 vendors handle personal identifiable information (PII) and are subject to our strictest data protection requirements. ### Cloud Infrastructure & Data Processing **Services**: Hosting and managing cloud infrastructure\ **PII Handling**: ✅ Yes - Hosts encrypted user data\ **Data Centers**: EU, Global (multiple locations)\ **HQ**: Seattle, Washington, USA\ **Links**: [Homepage](https://aws.amazon.com) | [Privacy](https://aws.amazon.com/compliance/data-privacy/) | [DPA](https://aws.amazon.com/agreement/) **What They Access**: Secure hosting infrastructure only. AWS provides encrypted storage but cannot access your actual notes or content. **Services**: Developing and distributing applications through the Apple ecosystem\ **PII Handling**: ✅ Yes - App Store account data and on-device processing\ **Data Centers**: Global (multiple locations)\ **HQ**: Cupertino, California, USA\ **Links**: [Homepage](https://www.apple.com) | [Privacy](https://www.apple.com/legal/privacy/) **What They Access**: Whisper transcription model runs locally on your device. Apple handles App Store transactions but doesn't access your Cleft content. **Services**: CDN, DNS, and DDoS protection services\ **PII Handling**: ✅ Yes - Website traffic and DNS queries\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://www.cloudflare.com) | [Privacy](https://www.cloudflare.com/privacypolicy/) | [DPA](https://www.cloudflare.com/cloudflare-customer-dpa/) **What They Access**: Website traffic patterns and DNS queries only. No access to Cleft content or user data. ### AI Processing Partners **Services**: Primary LLM provider for note enhancement\ **PII Handling**: ✅ Yes - Processes transcript text only\ **Data Centers**: Not specified\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://openai.com/) | [Privacy](https://openai.com/privacy) | [DPA](https://openai.com/policies/data-processing-addendum) **What They Access**: Transcript text only (never audio) for AI processing. Your data is never used for model training. **Services**: Backup LLM provider to ensure service reliability\ **PII Handling**: ✅ Yes - Processes transcript text only\ **Data Centers**: Global (multiple locations)\ **HQ**: Mountain View, California, USA\ **Links**: [Homepage](https://groq.com) | [Privacy](https://groq.com/privacy) **What They Access**: Alternative AI processor for text enhancement. Same privacy protections as OpenAI. **Services**: Additional AI processing capabilities\ **PII Handling**: ✅ Yes - Processes transcript text only\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://www.anthropic.com) | [Privacy](https://www.anthropic.com/privacy) | [Terms](https://www.anthropic.com/terms) **What They Access**: Processes transcript text for note enhancement. Strict no-training policy on user data. ### Payment & Billing **Services**: Handling online transactions securely\ **PII Handling**: ✅ Yes - Payment processing (PCI compliant)\ **Data Centers**: Not specified\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://stripe.com) | [Privacy](https://stripe.com/privacy) | [Legal](https://stripe.com/legal) **What They Access**: Payment processing only. We never see your actual payment details. **Services**: Managing in-app subscriptions and purchases\ **PII Handling**: ✅ Yes - Subscription data and analytics\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://www.revenuecat.com) | [Privacy](https://www.revenuecat.com/privacy) | [Terms](https://www.revenuecat.com/terms) **What They Access**: Subscription management and analytics. No access to your notes or content. **Services**: Business banking and financial services\ **PII Handling**: ✅ Yes - Financial transactions and account data\ **Data Centers**: EU\ **HQ**: London, United Kingdom\ **Links**: [Homepage](https://www.revolut.com/business) | [Privacy](https://www.revolut.com/en-GB/legal/privacy-policy) | [Terms](https://www.revolut.com/en-GB/legal/terms) **What They Access**: Internal business banking transactions only. No customer data or personal information. ### Customer Management & Communications **Services**: Managing marketing activities and customer interactions\ **PII Handling**: ✅ Yes - Contact info and support interactions\ **Data Centers**: EU\ **HQ**: Cambridge, Massachusetts, USA\ **Links**: [Homepage](https://www.hubspot.com/) | [DPA](https://legal.hubspot.com/dpa) **What They Access**: Contact information and customer support interactions only. **Services**: Conducting email marketing campaigns\ **PII Handling**: ✅ Yes - Email addresses for marketing (opt-in)\ **Data Centers**: Global (multiple locations)\ **HQ**: Vilnius, Lithuania\ **Links**: [Homepage](https://www.mailerlite.com/) | [Privacy](https://www.mailerlite.com/legal/privacy-policy) | [Terms](https://www.mailerlite.com/legal/terms-of-service) **What They Access**: Email addresses for newsletter delivery only (opt-in). No access to personal content. ### Business Intelligence & Monitoring **Services**: Communication, document creation, and collaboration\ **PII Handling**: ✅ Yes - Internal business communications\ **Data Centers**: EU\ **HQ**: Mountain View, California, USA\ **Links**: [Homepage](https://workspace.google.com) | [Privacy](https://workspace.google.com/privacy/gdpr/) | [DPA](https://workspace.google.com/terms/data-processing-terms.html) **What They Access**: Internal team communications only. No user data processing. **Services**: Analysing business data and generating reports\ **PII Handling**: ✅ Yes - Aggregated business analytics\ **Data Centers**: EU (self-hosted)\ **HQ**: N/A (open-source project)\ **Links**: [Homepage](https://www.metabase.com) | [Privacy](https://www.metabase.com/privacy) | [Terms](https://www.metabase.com/terms) **What They Access**: Aggregated business metrics only. No individual user data. **Services**: Team password management and secure credential storage\ **PII Handling**: ✅ Yes - Internal team credentials and access management\ **Data Centers**: EU\ **HQ**: Toronto, Ontario, Canada\ **Links**: [Homepage](https://1password.com) | [Privacy](https://1password.com/legal/privacy/) | [Terms](https://1password.com/legal/terms-of-service/) **What They Access**: Internal team passwords and credentials only. No customer data or personal information. **Services**: Monitoring and resolving application errors\ **PII Handling**: ✅ Yes - Error logs (no personal content)\ **Data Centers**: Not specified\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://sentry.io) | [Privacy](https://sentry.io/privacy/) | [Terms](https://sentry.io/terms/) **What They Access**: Application error logs only. No personal content included in crash reports. ### Website & Design Services **Services**: Designing and hosting our public-facing website and forms\ **PII Handling**: ✅ Yes - Website form submissions\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://webflow.com) | [Privacy](https://webflow.com/privacy) | [Terms](https://webflow.com/terms) **What They Access**: Website contact forms and landing page interactions only. **Services**: Enhancing user experience through design consulting\ **PII Handling**: ✅ Yes - Design consultation materials\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://sofriendly.com) | [Privacy](https://sofriendly.com/privacy) | [Terms](https://sofriendly.com/terms) **What They Access**: Design assets and user experience materials only. **Services**: Domain registration and DNS management\ **PII Handling**: ✅ Yes - Domain registration information\ **Data Centers**: Global (multiple locations)\ **HQ**: Phoenix, Arizona, USA\ **Links**: [Homepage](https://www.namecheap.com) | [Privacy](https://www.namecheap.com/legal/general/privacy-policy/) | [Terms](https://www.namecheap.com/legal/general/terms-of-service/) **What They Access**: Domain registration details and DNS configuration only. ### Scheduling & Automation **Services**: Form building and data collection (replaces SavvyCal)\ **PII Handling**: ✅ Yes - Form submissions and contact information\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://www.fillout.com) | [Privacy](https://www.fillout.com/privacy) | [Terms](https://www.fillout.com/terms) **What They Access**: Form submissions and scheduling data only. **Services**: Automating workflows across different tools\ **PII Handling**: ✅ Yes - Integration data flows\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://zapier.com) | [Privacy](https://zapier.com/privacy) | [Terms](https://zapier.com/terms) **What They Access**: Only data flows you explicitly configure in integrations. *** ## Business Operations Vendors **No Personal Data**: These 18 vendors support our business operations, marketing, and development but never access your personal information or content. ### Social Media & Marketing **Services**: Social media marketing and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://facebook.com) | [Privacy](https://www.facebook.com/privacy/explanation) **Services**: Social media marketing and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://Instagram.com) | [Privacy](https://help.instagram.com/519522125107875) **Services**: Social media marketing, talent and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://LinkedIn.com) | [Privacy](https://www.linkedin.com/legal/privacy-policy) **Services**: Social media marketing and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://x.com) | [Privacy](https://x.com/privacy) **Services**: Social media marketing and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://threads.net) | [Privacy](https://threads.net/privacy) **Services**: Social media marketing and brand engagement\ **PII Handling**: ❌ No - Marketing only\ **Links**: [Homepage](https://joinmastodon.org) **Services**: Link management and branded short URLs\ **PII Handling**: ❌ No - Link shortening only\ **Links**: [Homepage](https://www.rebrandly.com) ### Development & Collaboration **Services**: Managing source code and collaboration\ **PII Handling**: ❌ No - Code repository only\ **Links**: [Homepage](https://github.com) | [Privacy](https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement) **Services**: Facilitating internal communication and collaboration\ **PII Handling**: ❌ No - Internal team communication only\ **Links**: [Homepage](https://slack.com) | [Privacy](https://slack.com/privacy-policy) **Services**: Designing user interfaces collaboratively\ **PII Handling**: ❌ No - Design files only\ **Links**: [Homepage](https://figma.com) | [Privacy](https://figma.com/privacy) ### Documentation & Content **Services**: Documentation platform hosting (replaced GitBook)\ **PII Handling**: ❌ No - Documentation content only\ **Data Centers**: Global (multiple locations)\ **HQ**: San Francisco, California, USA\ **Links**: [Homepage](https://mintlify.com) | [Privacy](https://mintlify.com/privacy) | [Terms](https://mintlify.com/terms) **What They Access**: Public documentation content only. **Services**: Product video creation\ **PII Handling**: ❌ No - Video production only\ **Links**: Currently no website listed ### Media & Podcast **Services**: Hosting and distributing podcasts\ **PII Handling**: ❌ No - Podcast hosting only\ **Links**: [Homepage](https://transistor.fm) | [Privacy](https://transistor.fm/privacy) **Services**: Audio and video editing\ **PII Handling**: ❌ No - Content editing only\ **Links**: [Homepage](https://www.descript.com) | [Privacy](https://www.descript.com/privacy) ### Analytics (Anonymous Only) **Services**: Collecting website analytics with a focus on privacy\ **PII Handling**: ❌ No - Anonymous analytics only\ **Links**: [Homepage](https://usefathom.com) | [Privacy](https://usefathom.com/privacy) **What They Track**: Anonymous page views on our documentation site only. No personal data collected. **Services**: In-app anonymous analytics and performance monitoring\ **PII Handling**: ❌ No - Anonymous analytics only (no PII passed)\ **Data Centers**: EU (Germany)\ **HQ**: Würzburg, Germany\ **Links**: [Homepage](https://telemetrydeck.com) | [Privacy](https://telemetrydeck.com/privacy) | [Terms](https://telemetrydeck.com/terms) **What They Track**: Anonymous app usage patterns and performance metrics only. Zero personal information. ## Vendor Data Practices Our vendors are contractually required to: * Retain data only as long as necessary for service delivery * Delete data upon our request * Follow the same data retention policies we maintain All vendors must: * Encrypt data in transit and at rest * Maintain SOC 2 Type II compliance or equivalent * Undergo regular security audits * Report any security incidents within 24 hours Vendor access to your data is: * Limited to what's necessary for service delivery * Logged and monitored * Subject to strict confidentiality agreements * Never used for vendor's own purposes * Detailed above for each specific vendor ## Vendor Selection Process We maintain strict criteria when selecting third-party vendors to ensure the highest level of data protection: * **Privacy Standards**: GDPR, CCPA, and international privacy law compliance * **Security Certifications**: We **prefer and prioritize** vendors who align with the following certifications: * **SOC 2 Type II** compliance * **ISO 27001** certification * Other recognized industry security standards * **Data Processing Agreements**: Clear contractual obligations about data handling * **Incident Response**: Proven track record of security and transparency * **Business Continuity**: Financial stability and reliable service delivery **Our Commitment**: We actively seek vendors with the strongest security posture and will migrate to more secure alternatives when they become available. ## Data Processing & Vendor Compliance ### Vendor DPA Requirements We ensure all vendors handling personal data have appropriate data protection measures: * **DPA Verification**: We verify that vendors have comprehensive Data Processing Agreements available that specify: * Permitted uses of your data * Data security requirements * Incident notification procedures * Data subject rights fulfillment * Audit and compliance obligations * **Contractual Protections**: Where direct DPAs aren't signed, we ensure contractual terms include equivalent data protection commitments * **Ongoing Monitoring**: Regular review of vendor compliance and security practices ### Cleft's Data Processing Agreement **No Request Needed - Publicly Available** Cleft's complete Data Processing Agreement is transparently available to all customers: 📄 **View Our DPA**: [Data Processing Agreement](/trust/data-processing-agreement-dpa)\ 📧 **Questions**: [privacy@cleftnotes.com](mailto:privacy@cleftnotes.com) with "DPA" in subject line\ 🏢 **Customer Support**: Audit rights and compliance assistance available **What's Included**: Controller/Processor roles, security measures, data transfers, incident response, audit rights, and complete data handling transparency. ## Your Rights Regarding Vendor Data You have the right to: * Know which vendors process your data * Request deletion of your data from all vendors * Receive copies of vendor DPAs upon request * Be notified of any vendor data breaches * Opt-out of specific vendor services where possible ## Vendor Updates We regularly review our vendor relationships and may: * Add new vendors to improve our services * Remove vendors that no longer meet our standards * Update vendor data processing terms * Notify users of significant vendor changes If you have concerns about any of our vendors or their data practices, please contact our Data Protection Officer at [DPO@cleftnotes.com](mailto:DPO@cleftnotes.com). ## Contact Information For questions about our vendors or data processing: * **Data Protection Officer**: [DPO@cleftnotes.com](mailto:DPO@cleftnotes.com) * **General Privacy Questions**: [privacy@cleftnotes.com](mailto:privacy@cleftnotes.com) * **Vendor DPA Requests**: [privacy@cleftnotes.com](mailto:privacy@cleftnotes.com) ## Quick Reference **Total Vendors**: 37\ **Handle Personal Data**: 19 vendors\ **Business Operations Only**: 18 vendors\ **Last Updated**: September 10, 2025\ **All DPAs Available**: Upon request to [privacy@cleftnotes.com](mailto:privacy@cleftnotes.com) *** *This page was last updated on September 18, 2024. We'll notify users of any material changes to our vendor relationships.*