authorityrail.com / trust / subprocessors
// Trust Center

Sub-processor Disclosure

A public listing of every third-party processor that AuthorityRail uses to operate the execution authority infrastructure. Updated under the change-notice commitment below.

Last revised: 2026-05-17 · Version v1.0

What is a sub-processor

A sub-processor is any third-party service AuthorityRail engages to process customer data on AuthorityRail's behalf in support of the AuthorityRail platform. Sub-processors are bound by contractual obligations consistent with AuthorityRail's commitments to customers, including the obligations of the AuthorityRail Data Processing Addendum and applicable data protection laws.

Current sub-processors

Sub-processorServiceData processedRegionTransfer mechanism
Cloudflare, Inc.CDN, WAF, DDoS, TLS termination, DNS, Pages, WorkersRequest metadata, IP addresses, TLS fingerprints, edge cache contentGlobal edge (350+ POPs)SCCs (where applicable); Data Processing Addendum executed
Railway Corp.Container hosting for AuthorityRail services (gate, customer-api, verify.*, internal-ops, billing)Service runtime data, application logs, deployment artifactsUS (us-east4)Direct US processing; SCCs where applicable
Supabase, Inc.PostgreSQL database, authentication, Realtime, Vault, Edge FunctionsCustomer tenants, API keys (hashed), Certified Action Records, policy registry, usage events, signing key materialUS (us-east-1)Direct US processing; SCCs where applicable; Data Processing Addendum executed
Stripe Payments Inc.Payment processing, subscription management, invoicing, customer billing portalCustomer billing contact, payment method tokens, subscription state, usage records for metered billingUS primary, EU residency for EU customersPCI DSS Level 1; SCCs; Data Processing Addendum executed
Google LLC (Workspace)Email transit (MX) for authorityrail.com and workforcerail.com mailInbound and outbound email content, attachmentsGlobal Workspace infrastructureSCCs; Google Workspace DPA
HubSpot, Inc.Customer Relationship Management (CRM) for sales pipelineSales contact details, pipeline stage data, lead-routing recordsUS primarySCCs; HubSpot DPA
Vapi, Inc.Voice agent webhook routing for voice-gated authorization (when customer enables Voice Governance)Voice-call transcripts (transient), webhook payloadsUS primarySCCs; per-customer activation only
GoDaddy, Inc.Domain registration for authorityrail.com and workforcerail.comWHOIS contact data (privacy-protected)USDomain Privacy enabled; SCCs not applicable (administrative metadata only)
Sentry (Functional Software, Inc.)Application error monitoring (planned activation per sprint Closure #2)Error stack traces, request metadata (with PII scrubbing)US primarySCCs; Sentry DPA; activation pending
Better StackUptime monitoring and status page (planned activation per sprint Closure #8)Probe metadata, latency, response status codesGlobal probe locationsSCCs; activation pending
PagerDuty, Inc.On-call notification routing (planned activation per sprint Closure #9)Incident metadata, contact details for pagingUS primarySCCs; PagerDuty DPA; activation pending

Change notice commitment

AuthorityRail will notify customers of any new sub-processor or material change to an existing sub-processor at least 30 days before the change takes effect, via:

Customers with active Data Processing Addenda may object to a new sub-processor in writing within the 30-day notice window per the DPA terms. AuthorityRail will respond per the DPA escalation path.

Removed sub-processors

No sub-processors have been removed since AuthorityRail's launch. This section will be updated when removals occur.

Related documents

Draft sub-processor disclosure document under counsel review per Sprint a358619 legal drafts. This page is the canonical published version. Material legal questions: [email protected].