Afora Subprocessors
Last updated: July 10, 2026
Afora uses the following subprocessors to provide the Services. Each is bound by contract to process customer data only to provide its service, with data-protection obligations substantially as protective as our Data Processing Addendum (available on request — legal@aforademo.com). One exception in kind: Plaid also processes end-user data under its own End User Privacy Policy, which users accept when linking a bank account (see Privacy Policy §7). We give customers at least 30 days' notice before adding or replacing a subprocessor that processes customer data — subscribe to changes by emailing security@aforademo.com with the subject "subprocessor updates."
| Subprocessor | Purpose | Data touched | Location | Notes |
|---|---|---|---|---|
| Vercel Inc. | Application hosting and delivery | All service data in transit; logs | United States | Independent security program — see vercel.com/security |
| Supabase Inc. | Database and storage | All stored customer data (encrypted at rest) | United States | Independent security program — see supabase.com/security |
| Clerk Inc. | Authentication and user management | Names, emails, auth identifiers | United States | Independent security program — see clerk.com/security |
| Anthropic PBC | AI processing (email triage/drafting, receipt extraction, expense coding) | Content submitted to AI features | United States | No training on customer content; 30-day input/output deletion (commercial terms; safety-flagged content may be retained longer); audit reports at trust.anthropic.com |
| Plaid Inc. | Bank account connectivity and transaction retrieval | Linked-account transaction and balance data | United States | Afora never receives bank credentials; end users also accept Plaid's End User Privacy Policy; audit reports at security.plaid.com |
| Stripe, Inc. | Billing and subscription payments | Billing contact and payment records (card data stays with Stripe) | United States | PCI-DSS Level 1 — see stripe.com/docs/security |
| Resend, Inc. | Transactional email delivery | Recipient email addresses and message content for service emails | United States | See resend.com/security |
| Functional Software, Inc. (Sentry) | Error monitoring | Error reports and request metadata (scrubbed of secrets) | United States | See sentry.io/security |
| PostHog, Inc. | Product analytics | Usage events and identifiers | United States | See posthog.com/handbook/company/security |
Data sources the Customer connects directly (Google Workspace/Gmail, Microsoft 365/Outlook, the Customer's accounting system) are platforms the Customer authorizes, not Afora subprocessors; our commitments for that data are in the Privacy Policy §5–7.