KontraxaAudit · Enforce · Recover
Trust & Security

Sub-processors

Every vendor whose systems touch any portion of customer data handled by Kontraxa, what they handle, where they operate, and their compliance posture.

Last updated: 2026-04-30. We notify customers under contract 30 days before adding any new sub-processor.

Active sub-processors

Supabase

Postgres database and S3-backed object storage (PDFs)
Data handled
Contract PDFs, invoice PDFs, analysis results, audit log, user profile, BYOK keys (encrypted at rest)
Region
us-east-1 (AWS) by default; EU-region project on Enterprise tier
Compliance
SOC 2 Type 2HIPAA-eligible (BAA on enterprise)ISO 27001
Documents
DPA Privacy Security

Anthropic

Claude API for contract and invoice analysis
Data handled
Contract text and invoice text (sent in prompts during analysis)
Region
us-east (AWS); EU residency available on Enterprise
Compliance
SOC 2 Type 2Zero Data Retention available
Documents
DPA Privacy Trust Center
Default API behavior retains prompts and responses for ~30 days for abuse detection. Kontraxa operates under Anthropic's Zero Data Retention agreement, which eliminates that retention. Tenants on BYOK route through their own Anthropic account — Kontraxa's relationship with Anthropic does not apply to BYOK tenants.

Clerk

User authentication and identity
Data handled
User email, user name, login activity, session metadata
Region
us (AWS)
Compliance
SOC 2 Type 2CCPAGDPR
Documents
DPA Privacy
Never sees contract or invoice content.

Vercel

Frontend hosting (kontraxa.com and the application shell)
Data handled
Browser session metadata, IP address (TLS termination only), no contract or invoice content
Region
Global edge (CDN)
Compliance
SOC 2 Type 2ISO 27001
Documents
DPA Privacy

Railway

Backend API hosting
Data handled
API request metadata, application logs (PII-redacted at the source)
Region
us-west (initial); per-tenant region available on Enterprise
Compliance
SOC 2 Type 2
Documents
DPA Privacy

Optional sub-processors (only when configured)

Sentry

Error tracking and performance monitoring (active when SENTRY_DSN is configured)
Data handled
Stack traces (secret patterns scrubbed via beforeSend filter), request IDs, route names — never contract or invoice content
Region
us-east (AWS); EU available
Compliance
SOC 2 Type 2GDPR-ready
Documents
DPA Privacy
Kontraxa scrubs sk-ant-*, Bearer tokens, postgres URLs, Stripe keys, and Clerk webhook secrets from every event before it leaves the browser or backend. Session replays mask all text and inputs.

Stripe

Billing (active when Stripe is wired)
Data handled
Plan tier, billing email, payment method tokens (never raw card numbers)
Region
Global
Compliance
PCI-DSS Level 1SOC 2 Type 2
Documents
DPA Privacy
Never sees contract or invoice content.

Notification of changes

We notify customers under contract 30 days before adding any new sub-processor that would handle customer data. Subscribe to change notifications at privacy@kontraxa.com.