Provider inventory
Subprocessors
This page lists detected active providers and planned/placeholder providers for HatchCheck's legal review inventory.
Version: 0.1-draft
Effective date: 2026-05-04
Last updated: 2026-05-04
Draft for legal review. Active status should be confirmed against production environment variables, contracts, and deployment records.
Status Meanings
| active | Detected in runtime dependencies or implemented service code. |
|---|---|
| planned | Expected for production but not confirmed active in this repo. |
| placeholder | Inventory placeholder for attorney/business review, not active until configured. |
Current Inventory
Active rows are based on detected runtime dependencies or implemented service code. Placeholder rows need final vendor, contract, deployment, and region confirmation before production use.
| Provider | Purpose | Data categories | Region | Safeguards | Privacy URL | Security URL | Status |
|---|---|---|---|---|---|---|---|
| Supabase | Authentication, Postgres database access, and private evidence storage where configured. | account info, project/app info, uploaded artifacts, audit metadata | [SUPABASE_REGION_TO_CONFIRM] | Private storage buckets, server-side authorization, RLS/live isolation verification required. | https://supabase.com/privacy | https://supabase.com/security | active |
| Stripe | Checkout, payment processing, order metadata, receipts, and webhook fulfillment. | billing metadata, customer email, order metadata | [STRIPE_REGION_TO_CONFIRM] | Stripe handles card data; HatchCheck stores order/payment status and Stripe IDs. | https://stripe.com/privacy | https://stripe.com/docs/security | active |
| Vercel or hosting provider | Application hosting, routing, logs, and deployment platform. | usage/log/device data, request metadata | [HOSTING_REGION_TO_CONFIRM] | Confirm deployment provider, log retention, and access controls before marking active. | [HOSTING_PRIVACY_URL] | [HOSTING_SECURITY_URL] | placeholder |
| AI provider TBD | Optional AI-assisted drafting, normalization, and report/task generation. | redacted project/app info, AI processing metadata/output | [AI_PROVIDER_REGION_TO_CONFIRM] | Do not enable until provider data terms, retention, training settings, and redaction are reviewed. | [AI_PROVIDER_PRIVACY_URL] | [AI_PROVIDER_SECURITY_URL] | placeholder |
| Email provider TBD | Support, confirmation, privacy request, and transactional email if configured later. | account info, communications/support, privacy request metadata | [EMAIL_REGION_TO_CONFIRM] | No active package detected; confirm provider and email logging before use. | [EMAIL_PROVIDER_PRIVACY_URL] | [EMAIL_PROVIDER_SECURITY_URL] | placeholder |
| Analytics provider TBD | Optional analytics or marketing measurement after consent where required. | cookies/analytics, usage/log/device data | [ANALYTICS_REGION_TO_CONFIRM] | No active PostHog, GA, Plausible, or Sentry package detected; do not load before consent. | [ANALYTICS_PROVIDER_PRIVACY_URL] | [ANALYTICS_PROVIDER_SECURITY_URL] | placeholder |