List of subprocessors
🌐 English translation for convenience. The French version is the legally binding one.
⚠️ Document under legal review. This list is kept up to date by the Weloom team. Any material change is notified to Controllers with reasonable notice (see DPA § 6.3).
Last updated: June 2026
Weloom relies on the following technical subprocessors to provide the service. Each has signed a Data Processing Agreement (DPA) with Weloom, either directly or by adhering to their standard DPA terms. All process data in accordance with the GDPR.
Summary
| Subprocessor | Service provided | Location | Data concerned | DPA | |---|---|---|---|---| | Vercel | Web application hosting | EU West (Frankfurt) | Technical logs, IP | vercel.com/legal/dpa | | Supabase | PostgreSQL database + Storage + Auth | EU Frankfurt (eu-central-1) | All business data (encrypted at rest) | supabase.com/legal/dpa | | Anthropic | AI models (Claude Sonnet, Haiku) — companion chat, journey generation, OCR, rerank | United States (SCC) | Chat messages sent to the model, RAG excerpts | anthropic.com/legal/dpa | | OpenAI | Embeddings (text-embedding-3-small) — RAG indexing; Image generation (gpt-image-1) — Premium illustrations | United States (SCC) | Document excerpts for embedding, illustration prompts | openai.com/policies/data-processing-addendum | | Stripe | Payment and billing (subscriptions + Customer Portal) | EU + United States (SCC) | Customer ID, subscription status, card data (Stripe PCI-DSS) | stripe.com/legal/dpa | | Resend | Transactional email delivery (new-hire invitations, manager alerts, D-3 reminders) | United States (SCC) | Recipient email, subject, email body | resend.com/legal/dpa |
Details
Vercel (hosting)
- Vercel serves the deployed Next.js code in the EU West (Frankfurt) region.
- Technical log retention: 30 days.
- No application persistence on Vercel's side: the database is at Supabase.
Supabase (database and storage)
- EU Central 1 (Frankfurt) region.
- Native AES-256 encryption at rest.
- PostgreSQL Row Level Security enabled on all tables with
tenant_id(RM-07). - Storage: 3 dedicated buckets (private knowledge, public avatars / module illustrations).
- Backups: PITR (Point-In-Time Recovery) 7 days + daily snapshots.
Anthropic (conversational AI and generation)
- Claude Sonnet 4.5 models (companion chat, journey generation, PDF OCR) and Claude Haiku 4.5 (RAG rerank, quiz scoring).
- Anthropic does not reuse API data to train its models (standard confidentiality clause).
- Chat messages are transmitted during inference, then stored encrypted on Weloom's side (never at Anthropic).
OpenAI (embeddings and images)
- text-embedding-3-small model (1536 dimensions) for RAG indexing.
- gpt-image-1 model (landscape 1536×1024, medium quality) for Premium illustrations.
- OpenAI does not reuse API data to train its models (default API policy).
- No personally identifying data is sent to the embeddings (only document excerpts uploaded by HR).
Stripe (payment)
- Subscriptions managed via Stripe Elements + Stripe Customer Portal.
- PCI-DSS out of Weloom's scope: the card transits through a Stripe iframe, never through our servers.
- Stripe Tax enabled for automatic VAT calculation based on the customer's jurisdiction.
- Webhooks signed and verified on Weloom's side.
Resend (emails)
- Sent from the getpipeloom.fr domain, verified with SPF + DKIM + DMARC.
- Emails contain no sensitive content (never the content of an AI chat, never RAG excerpts).
- Resend keeps delivery logs (success / bounces) for 30 days.
Updating this list
In accordance with the Data Processing Agreement § 6.3, any material change to this list (addition, replacement of a subprocessor) is notified to Controllers by email. You have a reasonable period to object before it takes effect.
For any question: dpo@weloom.ai.