Sub-processor Disclosure
A public listing of every third-party processor that AuthorityRail uses to operate the execution authority infrastructure. Updated under the change-notice commitment below.
Last revised: 2026-05-17 · Version v1.0
What is a sub-processor
A sub-processor is any third-party service AuthorityRail engages to process customer data on AuthorityRail's behalf in support of the AuthorityRail platform. Sub-processors are bound by contractual obligations consistent with AuthorityRail's commitments to customers, including the obligations of the AuthorityRail Data Processing Addendum and applicable data protection laws.
Current sub-processors
| Sub-processor | Service | Data processed | Region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DDoS, TLS termination, DNS, Pages, Workers | Request metadata, IP addresses, TLS fingerprints, edge cache content | Global edge (350+ POPs) | SCCs (where applicable); Data Processing Addendum executed |
| Railway Corp. | Container hosting for AuthorityRail services (gate, customer-api, verify.*, internal-ops, billing) | Service runtime data, application logs, deployment artifacts | US (us-east4) | Direct US processing; SCCs where applicable |
| Supabase, Inc. | PostgreSQL database, authentication, Realtime, Vault, Edge Functions | Customer tenants, API keys (hashed), Certified Action Records, policy registry, usage events, signing key material | US (us-east-1) | Direct US processing; SCCs where applicable; Data Processing Addendum executed |
| Stripe Payments Inc. | Payment processing, subscription management, invoicing, customer billing portal | Customer billing contact, payment method tokens, subscription state, usage records for metered billing | US primary, EU residency for EU customers | PCI DSS Level 1; SCCs; Data Processing Addendum executed |
| Google LLC (Workspace) | Email transit (MX) for authorityrail.com and workforcerail.com mail | Inbound and outbound email content, attachments | Global Workspace infrastructure | SCCs; Google Workspace DPA |
| HubSpot, Inc. | Customer Relationship Management (CRM) for sales pipeline | Sales contact details, pipeline stage data, lead-routing records | US primary | SCCs; HubSpot DPA |
| Vapi, Inc. | Voice agent webhook routing for voice-gated authorization (when customer enables Voice Governance) | Voice-call transcripts (transient), webhook payloads | US primary | SCCs; per-customer activation only |
| GoDaddy, Inc. | Domain registration for authorityrail.com and workforcerail.com | WHOIS contact data (privacy-protected) | US | Domain Privacy enabled; SCCs not applicable (administrative metadata only) |
| Sentry (Functional Software, Inc.) | Application error monitoring (planned activation per sprint Closure #2) | Error stack traces, request metadata (with PII scrubbing) | US primary | SCCs; Sentry DPA; activation pending |
| Better Stack | Uptime monitoring and status page (planned activation per sprint Closure #8) | Probe metadata, latency, response status codes | Global probe locations | SCCs; activation pending |
| PagerDuty, Inc. | On-call notification routing (planned activation per sprint Closure #9) | Incident metadata, contact details for paging | US primary | SCCs; PagerDuty DPA; activation pending |
Change notice commitment
AuthorityRail will notify customers of any new sub-processor or material change to an existing sub-processor at least 30 days before the change takes effect, via:
- An updated version of this page (versioned with revision date)
- Email notification to the security contact on file for active subscription customers
- A post on status.authorityrail.com tagged "Sub-processor change"
Customers with active Data Processing Addenda may object to a new sub-processor in writing within the 30-day notice window per the DPA terms. AuthorityRail will respond per the DPA escalation path.
Removed sub-processors
No sub-processors have been removed since AuthorityRail's launch. This section will be updated when removals occur.
Related documents
- Trust Center overview
- Security architecture
- Compliance posture
- Data residency
- Incident response framework
- Security contact + CVD policy