Legal
Sub-processors
Last updated: 19 April 2026
This page lists every third-party sub-processor that Fuze engages to process personal data on your behalf when you use the Fuze platform. This list is maintained as part of our obligations under GDPR Article 28 and the Data Processing Agreement.
Where a sub-processor is domiciled in the United States, the transfer of personal data to that sub-processor is governed by Standard Contractual Clauses (SCCs) under European Commission Implementing Decision (EU) 2021/914. We also note that US-domiciled operators are subject to the US CLOUD Act (18 U.S.C. § 2523), which may compel disclosure of data to US authorities under certain conditions. See our Security page for the mitigations we have implemented.
| Name | Legal entity | Purpose | Data location | Transfer mechanism | DPA / SCCs |
|---|---|---|---|---|---|
| Supabase, Inc. | Supabase, Inc. (Delaware, US) | PostgreSQL database, stores agent traces, run records, organisations, users, and all application data | Data stored in Google Cloud europe-west1 (Belgium). Parent entity domiciled in Delaware, US. | Standard Contractual Clauses (EU) 2021/914 Module 3 | Yes, Supabase DPA with SCCs |
| Google LLC, Firebase Authentication | Google LLC (California, US) | User authentication and identity management (Firebase Authentication) | Data processed by Google globally; EU-region configuration applied where available. Control plane US-operated. | Standard Contractual Clauses (EU) 2021/914 Module 3 | Yes, Google Cloud DPA with SCCs |
| Google LLC, Cloud Run | Google LLC (California, US) | Serverless container hosting for the Fuze API and background workers | Deployed exclusively in google Cloud europe-west1 (Belgium) | Standard Contractual Clauses (EU) 2021/914 Module 3; data hosted in EU region | Yes, Google Cloud DPA with SCCs |
| Google LLC, Secret Manager | Google LLC (California, US) | Secure storage of application secrets and encryption keys | Configured in europe-west1 region | Standard Contractual Clauses (EU) 2021/914 Module 3 | Yes, Google Cloud DPA with SCCs |
| Stripe | Stripe Payments Europe, Ltd. (Ireland) / Stripe, Inc. (Delaware, US) | Payment processing, subscription management, and billing portal | Stripe Payments Europe, Ltd. is EU-established. Some processing by Stripe, Inc. (US). Stripe is an adequacy-eligible processor. | Stripe EU entity covers EU data; US entity covered by Standard Contractual Clauses | Yes, Stripe Data Processing Agreement |
| Resend | Resend, Inc. (Delaware, US) | Transactional email delivery (account events, billing receipts, alert notifications) | Resend infrastructure primarily US-based | Standard Contractual Clauses (EU) 2021/914 Module 2 | Yes, Resend DPA with SCCs |
| Anthropic, PBC | Anthropic, PBC (Delaware, US) | Large language model inference, only for organisations that have explicitly opted in to Fuze-managed LLM agent features. Not used by default. | Anthropic infrastructure is US-based | Standard Contractual Clauses (EU) 2021/914 Module 2; applies only where opt-in is active | Yes, Anthropic DPA with SCCs (applicable on opt-in only) |
Sub-processor change notifications
We will provide at least 30 days' prior notice before adding or replacing any sub-processor. Notifications are sent to subscribers of our change-notification list and published as an update to this page with a revised “Last updated” date.
To receive sub-processor change notifications by email, send a subscription request to subscribe@fuze-ai.techwith the subject line “Sub-processor change notifications”.
Objections to new sub-processors
If you have a reasonable objection to a proposed new sub-processor on data protection grounds, you may raise it in writing within 15 days of the change notice. The procedure for objections and the consequences if we cannot accommodate your objection are set out in section 5 of the Data Processing Agreement.
Transitive sub-processors
Some of our listed sub-processors may engage their own sub-processors (“transitive sub-processors”) to deliver their services. For example:
- Supabase operates on Google Cloud Platform and Amazon Web Services infrastructure in the EU region.
- Stripe uses a number of banking and payment network partners regulated under applicable financial services law.
- Resend uses AWS SES for email delivery infrastructure.
These transitive sub-processors are bound by data protection obligations imposed by our direct sub-processors under their own processor agreements.
Questions about this list should be directed to privacy@fuze-ai.tech.