Promptic GmbH
Subprocessors
Effective date: May 15, 2026
This page lists the subprocessors and material service providers Promptic uses to provide, secure, support, and bill for the Promptic service.
1. Overview
Promptic engages the following subprocessors and service providers to operate the service. The exact processing depends on the features a customer uses, the providers configured by the customer, and the deployment environment. Customer-selected model providers are used only when configured or requested by Customer.
Promptic requires subprocessors to protect personal data under written contractual, technical, and organizational safeguards. For international transfers, Promptic relies on adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Addendum, Data Privacy Framework certifications where applicable, data processing agreements, encryption, access controls, and vendor due diligence.
2. Current subprocessors and providers
| Provider | Purpose | Data processed | Location and safeguards |
|---|---|---|---|
| Vercel | Hosting, serverless functions, deployment platform, web analytics, and Vercel Blob object storage where configured. | Website and application traffic, deployment logs, request metadata, analytics reports, uploaded images/files where Vercel Blob is used, and operational data. | Production serverless functions are configured for Frankfurt. Vercel offers a DPA and subprocessors under GDPR transfer safeguards. |
| Neon | Managed PostgreSQL database hosting. | Account data, organization/workspace data, customer content, traces, evaluations, usage ledger records, and product data stored in the application database. | Production database is configured in Neon's Azure Germany West Central region with point-in-time restore history configured to six hours. Neon offers a DPA and cross-border transfer safeguards. |
| Microsoft Azure | Service Bus job queues, backend worker infrastructure, Key Vault, Container Apps, Container Registry, optional Azure Blob Storage, and optional Azure Monitor/Application Insights. | Optimization job messages, secrets, logs, telemetry, container images, application runtime metadata, and optional uploaded files. | Production Azure resources are primarily configured in West Europe. Microsoft offers enterprise data protection terms and EU Data Boundary commitments subject to documented limitations. |
| OpenAI | Platform-managed AI model processing. | Prompts, examples, variables, schemas, traces or span content, evaluator content, and model inputs/outputs needed for requested AI operations. | Promptic uses its OpenAI project configured for Europe and OpenAI API data controls, including no default training on API inputs and outputs and Modified Abuse Monitoring for eligible API processing. |
| Stripe | Always-on billing, payment processing, checkout, subscriptions, invoices, tax, payment-method metadata, fraud prevention, and customer portal operations. | Billing contacts, customer identifiers, subscription data, transaction data, invoice data, payment method metadata, fraud-prevention signals, tax data, and support interactions related to billing. | Stripe Payments Europe Limited and Stripe affiliates process payment data under Stripe's privacy terms, DPA, service-provider list, and transfer safeguards. |
| Resend | SMTP email delivery. | Email addresses, names where included, message metadata, and email content for verification, authentication, invitations, transactional notices, and operational notifications. | Resend publishes a DPA and transfer safeguards, including Standard Contractual Clauses. |
| Better Stack | Monitoring, logging, uptime, error tracking, incident response, and operational diagnostics. | Application logs, error data, request metadata, uptime events, monitoring signals, and incident diagnostics. | Better Stack publishes privacy and security terms, including GDPR information and EU-region storage statements for relevant data. |
| GitHub | Optional OAuth sign-in. | OAuth account ID, profile data, email address, token metadata, and scopes when a user chooses GitHub sign-in. | GitHub publishes privacy and data protection terms. |
| Optional OAuth sign-in and optional customer-configured Google AI provider access. | OAuth profile/email data for sign-in; customer-provided Google API keys or service account data and model inputs/outputs when customer configures Google model providers. | Google publishes Cloud data processing terms and transfer safeguards. Customer is responsible for customer-configured Google AI processing. | |
| Microsoft | Optional OAuth sign-in and optional Azure OpenAI access. | OAuth profile/email data for sign-in; model inputs/outputs and configuration data when Azure OpenAI is configured. | Microsoft publishes privacy, product, and data protection terms. Customer is responsible for customer-configured Azure OpenAI processing. |
| OpenRouter and customer-selected model providers | Optional Promptic-provided OpenRouter routing where enabled by Customer, and optional customer-configured AI provider access. | Only the prompts, inputs, outputs, metadata, and configuration needed for model calls requested, enabled, or configured by Customer. | OpenRouter routing is disabled unless Customer enables it for a workspace or model call. Underlying model providers may also process data depending on the selected route. Customer is responsible for reviewing provider-specific legal terms, locations, retention, training, and transfer safeguards before enabling or configuring the provider. |
| Object storage providers where configured | Storage and delivery of uploaded images, organization logos, profile images, and similar files. | Uploaded files, object metadata, content type, randomized file names, and public or private object URLs depending on provider configuration. | The active provider may be Vercel Blob, Azure Blob Storage, or S3-compatible storage depending on deployment configuration. |
3. Updates and objections
Promptic may update this page when subprocessors change. Unless a customer agreement states otherwise, customers may object to a new subprocessor on reasonable data protection grounds by contacting hello@promptic.eu within 30 calendar days after the update.
If an objection cannot be resolved, the customer may stop using the affected service feature or terminate the affected service as permitted by the applicable agreement.
4. Customer-selected providers
- Customer-selected AI providers are not enabled by default unless Promptic or Customer configures them for the relevant workspace, model, or experiment.
- If Customer uses BYOK or custom provider URLs, Customer instructs Promptic to send Customer Personal Data to that provider and remains responsible for the provider's terms, data residency, retention, training, and transfer safeguards.
- Customer should not submit personal or sensitive data to a provider unless Customer has confirmed the provider is appropriate for that data and use case.