Subprocessor List
This page lists the service providers ("subprocessors") that may process personal data on behalf of Holistic Quality LLC in connection with the ALETHEIA chemical safety intelligence API and related websites. It supplements the ALETHEIA Privacy Policy and mirrors the canonical subprocessor list maintained in the HQ Data Policy v2.0. The machine-readable source of record, including per-processor transfer mechanism status, is at /api/compliance.
This list reflects the current operational state of the Service and is maintained as our infrastructure and tooling evolve.
1. Categories
Subprocessors are grouped by function. Each subprocessor is named, with its role, the regions in which it primarily processes data, and a link to its own privacy or data-processing information.
1.1 Hosting and compute
| Subprocessor | Role | Processing regions | References |
|---|---|---|---|
| Vercel Inc. | Application hosting, serverless compute for API endpoints, website hosting | United States (primary), edge regions globally |
Privacy Policy DPA |
1.2 Content delivery and edge security
| Subprocessor | Role | Processing regions | References |
|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, edge caching, bot management, DDoS protection, rate limiting | Global edge network |
Privacy Policy DPA Subprocessors |
1.3 Key storage and rate limiting
| Subprocessor | Role | Processing regions | References |
|---|---|---|---|
| Upstash, Inc. | Serverless Redis — one-way hashed API key records, email addresses, usage counters, rate-limit counters, trial flags, enterprise inquiry data | European Union — AWS eu-west-1 (Ireland) |
Privacy Policy DPA Subprocessors |
1.4 Operational tooling (direct-issued accounts)
| Subprocessor | Role | Processing regions | References |
|---|---|---|---|
| Stripe, Inc. | Payment and subscription processing for direct-issued accounts. Card data never touches ALETHEIA servers (PCI SAQ-A). Holistic Quality stores only the Stripe customer reference and the customer email. | United States (PCI-DSS Level 1) |
Privacy Policy DPA Subprocessors |
| Resend (Resend Inc.) | Transactional email delivery for direct-issued accounts (API key issuance, trial reminders, security advisories, rights-request verification). Email content is masked for PII per internal data-minimization policy. | United States |
Privacy Policy DPA Subprocessors |
2. Independent data controllers (not subprocessors)
The following entity is not a subprocessor of Holistic Quality. It acts as an independent data controller for its own users' account and billing information, governed by its own terms and privacy policy. It is listed here for transparency because many ALETHEIA users will interact with it.
| Entity | Relationship | References | |
|---|---|---|---|
| R Software Inc. (RapidAPI) | Independent data controller for marketplace users' account and billing data. Holistic Quality receives only the limited information described in Privacy Policy §2.1 from RapidAPI. |
Privacy Policy Terms |
|
3. How we vet subprocessors
Before engaging a subprocessor that will process personal data on our behalf, we verify:
- the provider publishes a privacy policy and, where applicable, a Data Processing Addendum
- the provider has a reasonable security posture (encryption in transit, access controls, recent compliance certifications where relevant)
- the provider's data-processing geography is compatible with our commitments to users
- the provider's role aligns with the purposes described in our Privacy Policy
4. Updates to this list
We may add, remove, or replace subprocessors from time to time. Material changes will be reflected on this page. Where we add a subprocessor that will receive personal data covered by a user's right to object, we will announce the change through the channels described in Privacy Policy §11 before the change takes effect, unless the change is required for security, fraud prevention, or legal compliance and cannot be delayed.
The "Last Updated" date at the top of this page indicates the most recent revision.
5. Contact
Questions about this Subprocessor List, or to receive advance notice of additions:
Holistic Quality LLC
Lebanon, Ohio
privacy@holisticquality.io