Draft — Pending Attorney Review. This is a production-ready draft. Final language will be confirmed by qualified legal counsel before Asolo's general availability launch. This document does not constitute legal advice.

Sub-Processors

Effective Date: [Pending attorney review — to be set before general availability]

Asolo (“Processor”) engages the third-party sub-processors listed below to deliver its platform services. All sub-processors are bound by data processing obligations at least equivalent to those in Asolo's Data Processing Addendum.

Notice and Objection

Asolo will provide at least 30 days' advance notice before engaging a new sub-processor that will process personal data, by:

Updating this page with the new sub-processor's details.
Sending email notice to the primary contact on file for all Firm tier accounts.

Firm tier customers may object to a new sub-processor within 30 days of notice on reasonable data protection grounds. If Asolo cannot reasonably accommodate the objection, the customer may terminate their subscription without penalty on written notice to legal@asolo.ai.

Solo and Professional tier customers are covered by the general authorization in Asolo's Privacy Policy.

Current Sub-Processors

Last updated: pending attorney review. Contact legal@asolo.ai with questions.

Sub-Processor	Purpose	Data Categories	Location / Notes
Anthropic	AI inference. Processes prompts and context submitted through the Asolo chat assistant, briefing generator, and memory summarization.	Attorney prompts; practice memory context (client/matter names, metadata snippets, AI interaction history). Raw integration data (full email bodies, file content) is not transmitted.	United States. Anthropic's API does not retain inputs or outputs for model training under Asolo's Data Processing Agreement.
Supabase	Database, authentication, row-level security, Vault secret storage, and object storage. Primary data store for the Asolo platform.	All persistent platform data: account and user profile data; client and matter records; communications metadata; memory records and vector embeddings; integration tokens (encrypted at rest via Supabase Vault); usage metrics and chat session data.	United States (AWS us-east-1). Supabase is SOC 2 Type II certified.
Vercel	Application hosting and edge network. Serves the Asolo web application and API routes.	Request and response data passing through the application (HTTP headers, request bodies, logs). Vercel does not store persistent client or matter data.	United States (primary), with edge nodes globally for performance. Vercel is SOC 2 Type II certified.
Stripe	Payment processing, subscription management, and billing portal.	Billing contact name and email; payment method details (card type, last four digits, expiry — Asolo does not receive or store full card numbers); subscription status and transaction history.	United States and European Union. Stripe is an independent data controller for payment processing purposes. Stripe is PCI DSS Level 1 certified and SOC 2 Type II certified.
Resend	Transactional email delivery. Sends briefing delivery confirmations, billing receipts, trial-expiry notices, and retention communications.	Recipient email address, name, and email content (transactional messages only; no client matter data beyond what is included in attorney-authorized briefings).	United States.
Upstash	Serverless Redis. Used for rate-limiting, short-lived session caching, and token-budget tracking.	Ephemeral data: request counters, cache keys, and rate-limit state. No persistent personal data is stored in Redis.	United States (primary). Data is short-lived and evicted by TTL policy.
Voyage AI	Vector embedding generation. Converts memory records and search queries into embeddings for semantic search.	Text of memory records submitted for embedding (client/matter metadata summaries). No full document content or email bodies.	United States.
Inngest	Background job orchestration. Manages scheduled syncs, embedding backfill, retention sequences, and event-driven workflows.	Event payloads containing user and integration IDs, sync job parameters, and job status. Payloads may include integration metadata required to trigger or log sync operations.	United States.
PostHog	Product analytics. Tracks feature usage, funnel metrics, and session behavior to inform product decisions.	Anonymized usage events: pages visited, features accessed, session duration, cohort properties. IP addresses are anonymized. No client or matter data is sent to PostHog.	United States (cloud) or European Union (EU cloud option). Asolo uses the US cloud.
Sentry	Application error monitoring and performance tracing. Captures exceptions and slow traces to support platform reliability.	Stack traces, error messages, breadcrumbs, and request context at the time of an error. Sentry is configured to scrub known PII fields before transmission.	United States. Sentry is SOC 2 Type II certified.
BetterStack	Uptime monitoring and log aggregation. Monitors platform availability and collects structured application logs.	HTTP status codes, response times, and structured log output from the application. Logs may include request metadata (route, status, latency) but are configured to exclude personal data.	European Union (BetterStack is incorporated in the EU).
Crisp	Customer support chat widget, available to authenticated Asolo users.	Name, email address, and messages sent via the support widget. Asolo configures Crisp session data with user ID and subscription tier to support context-aware support.	European Union (Crisp is incorporated in France and processes data in the EU).
Recall.ai	Meeting intelligence. Manages Recall.ai meeting bots that join Zoom and Teams calls to capture transcripts for Asolo's meeting memory feature.	Meeting audio/video processed to produce transcripts; transcript text (up to 50 segments per meeting, capped at 500 characters each) stored in Asolo's Supabase database.	United States (AWS us-west-2). Full transcript storage and multi-region support are in progress.

Anthropic

Purpose

AI inference. Processes prompts and context submitted through the Asolo chat assistant, briefing generator, and memory summarization.

Data Categories

Attorney prompts; practice memory context (client/matter names, metadata snippets, AI interaction history). Raw integration data (full email bodies, file content) is not transmitted.

Location / Notes

United States. Anthropic's API does not retain inputs or outputs for model training under Asolo's Data Processing Agreement.

Supabase

Purpose

Database, authentication, row-level security, Vault secret storage, and object storage. Primary data store for the Asolo platform.

Data Categories

All persistent platform data: account and user profile data; client and matter records; communications metadata; memory records and vector embeddings; integration tokens (encrypted at rest via Supabase Vault); usage metrics and chat session data.

Location / Notes

United States (AWS us-east-1). Supabase is SOC 2 Type II certified.

Vercel

Purpose

Application hosting and edge network. Serves the Asolo web application and API routes.

Data Categories

Request and response data passing through the application (HTTP headers, request bodies, logs). Vercel does not store persistent client or matter data.

Location / Notes

United States (primary), with edge nodes globally for performance. Vercel is SOC 2 Type II certified.

Stripe

Purpose

Payment processing, subscription management, and billing portal.

Data Categories

Billing contact name and email; payment method details (card type, last four digits, expiry — Asolo does not receive or store full card numbers); subscription status and transaction history.

Location / Notes

United States and European Union. Stripe is an independent data controller for payment processing purposes. Stripe is PCI DSS Level 1 certified and SOC 2 Type II certified.

Resend

Purpose

Transactional email delivery. Sends briefing delivery confirmations, billing receipts, trial-expiry notices, and retention communications.

Data Categories

Recipient email address, name, and email content (transactional messages only; no client matter data beyond what is included in attorney-authorized briefings).

Location / Notes

United States.

Upstash

Purpose

Serverless Redis. Used for rate-limiting, short-lived session caching, and token-budget tracking.

Data Categories

Ephemeral data: request counters, cache keys, and rate-limit state. No persistent personal data is stored in Redis.

Location / Notes

United States (primary). Data is short-lived and evicted by TTL policy.

Voyage AI

Purpose

Vector embedding generation. Converts memory records and search queries into embeddings for semantic search.

Data Categories

Text of memory records submitted for embedding (client/matter metadata summaries). No full document content or email bodies.

Location / Notes

United States.

Inngest

Purpose

Background job orchestration. Manages scheduled syncs, embedding backfill, retention sequences, and event-driven workflows.

Data Categories

Event payloads containing user and integration IDs, sync job parameters, and job status. Payloads may include integration metadata required to trigger or log sync operations.

Location / Notes

United States.

PostHog

Purpose

Product analytics. Tracks feature usage, funnel metrics, and session behavior to inform product decisions.

Data Categories

Anonymized usage events: pages visited, features accessed, session duration, cohort properties. IP addresses are anonymized. No client or matter data is sent to PostHog.

Location / Notes

United States (cloud) or European Union (EU cloud option). Asolo uses the US cloud.

Sentry

Purpose

Application error monitoring and performance tracing. Captures exceptions and slow traces to support platform reliability.

Data Categories

Stack traces, error messages, breadcrumbs, and request context at the time of an error. Sentry is configured to scrub known PII fields before transmission.

Location / Notes

United States. Sentry is SOC 2 Type II certified.

BetterStack

Purpose

Uptime monitoring and log aggregation. Monitors platform availability and collects structured application logs.

Data Categories

HTTP status codes, response times, and structured log output from the application. Logs may include request metadata (route, status, latency) but are configured to exclude personal data.

Location / Notes

European Union (BetterStack is incorporated in the EU).

Crisp

Purpose

Customer support chat widget, available to authenticated Asolo users.

Data Categories

Name, email address, and messages sent via the support widget. Asolo configures Crisp session data with user ID and subscription tier to support context-aware support.

Location / Notes

European Union (Crisp is incorporated in France and processes data in the EU).

Recall.ai

Purpose

Meeting intelligence. Manages Recall.ai meeting bots that join Zoom and Teams calls to capture transcripts for Asolo's meeting memory feature.

Data Categories

Meeting audio/video processed to produce transcripts; transcript text (up to 50 segments per meeting, capped at 500 characters each) stored in Asolo's Supabase database.

Location / Notes

United States (AWS us-west-2). Full transcript storage and multi-region support are in progress.

Contact

Sub-processor inquiries: legal@asolo.ai
Grantley Holdings LLC d/b/a Asolo

To request notification when a new sub-processor is added (all tiers), or to exercise DPA objection rights (Firm tier), email legal@asolo.ai from the address associated with your account.