Sub-Processors
Last updated: 19 May 2026
We use the following sub-processors to deliver the Leva service. All are bound by data processing agreements. We will update this page at least 30 days before adding a new sub-processor. To object to a new sub-processor, contact privacy@getleva.ai.
| Sub-Processor | Purpose | Data Processed | Jurisdiction | Transfer Safeguard |
|---|---|---|---|---|
| Supabase | Database, authentication, file storage, and encrypted secrets vault | All user and tenant data; OAuth tokens in encrypted vault; uploaded brand assets | EU West (Ireland) | UK adequacy regulations / EU SCCs |
| Vercel | Application hosting, CDN, edge functions, analytics | Request logs, page views (anonymised analytics), application code execution | USA (global CDN) | SCCs + UK adequacy |
| Anthropic | Large language model inference — all AI agent tasks | Business data, goals, drafts, and context submitted in LLM prompts | USA | SCCs + Anthropic API DPA (no training on customer data) |
| Portkey | LLM gateway routing all Anthropic and OpenAI calls; cost observability | All LLM prompts and responses (same data as Anthropic/OpenAI entries above) | USA | SCCs + Portkey DPA |
| OpenAI | Image generation (DALL-E 3) | Ad creative briefs and image generation prompts | USA | SCCs + OpenAI API DPA (no training on customer data) |
| fal.ai | AI video generation | Video generation prompts and generated video outputs | USA | SCCs + fal.ai DPA |
| Stripe | Payment processing, subscription management | Payment method details, transaction records, billing contact information | USA / UK (Stripe Payments Europe Ltd) | SCCs + UK adequacy; PCI-DSS certified |
| Resend | Transactional email delivery (notifications, board reports, billing emails) | Email addresses, email content | USA | SCCs + Resend DPA |
| Upstash | Redis rate limiting and QStash background job scheduling | Tenant IDs and job metadata (no personal data beyond IDs) | USA (EU region option available) | SCCs + Upstash DPA |
| Composio | OAuth aggregator for third-party integrations (Gmail, HubSpot, LinkedIn, etc.) | OAuth access tokens; tool call payloads when agents act on connected services | USA | SCCs + Composio DPA; SOC 2 Type II certified |
| Instantly | Cold email campaign sending and reply management | Prospect email addresses, email content, reply data | USA | SCCs + Instantly DPA |
| HeyReach | LinkedIn outreach draft sequences (draft-only — never auto-sent) | LinkedIn profile data for prospects, draft message content | USA | SCCs + HeyReach DPA |
| Cloudflare | CAPTCHA and bot protection (Turnstile) on account creation | IP address, browser fingerprint for bot detection (not stored by Leva) | USA (global) | SCCs + Cloudflare DPA |
Note on third-party integrations you connect:when you connect external platforms (Gmail, HubSpot, Meta Ads, LinkedIn, etc.) via Leva's integration settings, those platforms also process your data under their own terms. They are not sub-processors of Leva — they are services you have authorised Leva to connect to on your behalf.