Subprocessors

Providers expected to support QLAC, including scope, data handled, and safeguards pending final contractual closure.

Published legal information for QLAC Audit.

Last updated: 2026-05-11

1. Status and scope

This list documents current or expected providers that may process personal or technical data to deliver QLAC. It must be reviewed before final B2B contracts and kept updated when architecture, hosting, billing, email, analytics, or AI providers change.

QLAC does not store card or bank details. Paddle handles payments, taxes, invoices, and payment methods as a specialized provider.

2. Initial provider list

  • Vercel: hosting, deployment, CDN, technical logs, and optional Vercel Analytics. Data: IP, user agent, aggregated events, technical metadata, and public website content.
  • Paddle: checkout, billing, taxes, invoicing, subscriptions, and status webhooks. Data: email, country, plan, currency, payment status, invoice references, and required tax data. QLAC does not receive full card numbers or bank details.
  • Transactional email provider pending confirmation: account emails, recovery, security notices, password change notices, trials, billing, and support. Data: email, name, language, and strictly necessary message content.
  • Production database, queue, and storage provider pending confirmation: storage for accounts, projects, reports, evidence, artifacts, snapshots, and security logs according to final configuration.
  • GitHub/GitLab: repository access only if the customer connects the integration. Data: repository metadata, branches, authorized files, and encrypted tokens with minimal permissions.
  • Optional AI provider pending activation: assisted analysis and recommendation generation only with feature flag, documentation, consent, or appropriate contractual basis.
  • Optional PostHog: explicit conversion events when marketing_analytics is enabled and analytics consent exists. Autocapture, automatic pageview, and session replay must remain disabled unless separately reviewed.

3. Transfers and safeguards

Where a provider processes data outside the customer's country or outside the EEA, QLAC must review DPA, SCCs or equivalent mechanism, supplementary measures, location, security, and retention before production use.

4. Changes and objections

B2B customers with a DPA may request reasonable notice of new material subprocessors and raise justified objections if the change increases risk or conflicts with documented instructions.

5. Deletion and return

At service termination or upon valid instruction, QLAC must delete, anonymize, or return data according to contract, technical retention, legal obligations, and reasonable backup handling.