Subprocessors & Third-Party Providers
Every external service we rely on to operate MindWiki — what data each one receives, why, and where. We list everyone in scope, not just the ones that strictly meet a regulator's 'processor' definition.
Updated 2026-05-25
Infrastructure
The platform and storage layer underneath MindWiki.
| Provider | Purpose | Data | Region |
|---|---|---|---|
| Cloudflare, Inc. | Runs every MindWiki API and AI worker (Workers + Durable Objects), the D1 database storing account/vault metadata, the R2 object store for attachments, KV caches, Vectorize for semantic search, and the global CDN in front of mindwiki.io. | Account email, password hash, vault markdown + attachments, page metadata, vector embeddings of vault content, API request logs, abuse signals, IP address. | Global edge; primary data resides in US regions. |
| Vercel Inc. | Hosts the mindwiki.io marketing site, the documentation, and the Help / Status pages. | Request logs, IP address. Vercel does not see vault content; the API and AI traffic route directly to Cloudflare. | Global edge; US primary. |
| Apple Inc. | App Store and TestFlight distribution for the iOS app; subscription billing for App Store purchases; Sign in with Apple; push notification delivery (APNs); iCloud-based optional storage for share-extension queues. | Account email (if Sign in with Apple), purchase records, App Store receipt, device push tokens, sign-in attestation. | Global; subject to Apple's regional data residency. |
AI model and voice providers
MindWiki AI features call out to upstream providers for generation and embedding. We route only what each feature needs — never raw vault dumps. None of these providers train their models on MindWiki user content; see the AI Processing Policy for the full data-flow description.
| Provider | Purpose | Data | Region |
|---|---|---|---|
| Anthropic, PBC | Claude-family models powering MindWiki AI chat, retrieval-augmented generation, and agentic actions. | Conversation turns including the page snippets we retrieved for grounding, system prompts, and the user's messages. No raw vault dumps. Anthropic does not train on inputs sent via the API. | US. |
| OpenAI, L.L.C. | GPT-family models used selectively for specific MindWiki AI features (currently: voice transcription, certain embedding models). | Audio chunks (transcription only, no persistence at OpenAI), text to embed. No raw vault dumps. OpenAI does not train on API inputs by default. | US. |
| Google LLC | Gemini-family models used selectively for cost-efficient embedding generation. | Text fragments to embed. No raw vault dumps. Google does not train on API inputs by default. | US. |
| LiveKit, Inc. | Real-time WebRTC infrastructure for MindWiki Live Conversation voice sessions. | Audio stream (transient — not stored beyond session duration), per-session room IDs, participant tokens, connection metadata. | US primary; uses global edges for media transit. |
Payments and customer messaging
Providers that handle paid subscriptions, entitlement management, and transactional / abuse email.
| Provider | Purpose | Data | Region |
|---|---|---|---|
| Stripe, Inc. | Subscription billing, checkout, customer portal, invoicing, tax calculation, and fraud screening for purchases made on MindWiki Cloud (web). | Email, billing address, card or other payment method (tokenized; MindWiki never sees raw PAN), country, applicable tax IDs, transaction history. | US primary; Stripe operates globally with regional billing. |
| RevenueCat, Inc. | Entitlement management for App Store subscriptions on iOS / macOS — verifies Apple receipts and keeps the entitlement state synced with MindWiki's server-side plan. | App Store transaction IDs, hashed user identifier, entitlement state, device platform. No payment method data (Apple handles that). | US. |
| Resend, Inc. | Transactional email delivery — magic-link sign-in emails, receipts, password resets, account-action notifications, abuse notifications. | Recipient email address, message subject, message body, delivery metadata (sent / opened / bounced). | US primary. |
Operational and observability
Providers that help us run the service reliably.
| Provider | Purpose | Data | Region |
|---|---|---|---|
| Cloudflare Logs / Workers Analytics | Aggregate request analytics, error rates, and operational dashboards for MindWiki's own infrastructure on Cloudflare. Same provider as the underlying compute, so no additional data transfer. | Request paths, response codes, latency, IP address (truncated for analytics). | Aligned with the Cloudflare entry above. |
| Sentry (Functional Software, Inc.) | Crash reporting and error monitoring on the iOS and macOS apps when the user opts into anonymized diagnostics in Settings. | Crash stack trace, app version, OS version, device model. Personal data is scrubbed from breadcrumbs and contexts; no vault content is sent. | US. |
Data transfers
MindWiki is operated from the United States. Many of our subprocessors operate primarily in the US, with global edge networks. Where users in the EU/UK, Brazil, Canada, Australia, or other regions use the Service, personal data may be transferred to the US. We rely on the following safeguards:
- EU/UK to US— Standard Contractual Clauses (SCCs) with the relevant subprocessors; equivalent UK IDTA where applicable; reliance on providers' certifications under the EU-US Data Privacy Framework where the provider is certified.
- Switzerland — Swiss Federal Data Protection and Information Commissioner (FDPIC) recognition of SCCs.
- Canada, Brazil, Australia, Korea, Japan— equivalent transfer mechanisms as recognized by each jurisdiction, plus the provider's own commitments.
For copies of the relevant SCCs or DPA, email dpo@mindwiki.io.
Data Processing Agreement (DPA)
If your use of MindWiki triggers a controller / processor relationship under GDPR or comparable laws, we offer a standard Data Processing Agreement that incorporates the SCCs by reference and lists our subprocessors. Request one at dpo@mindwiki.io with the legal entity that will sign.
Adding or changing subprocessors
New subprocessors that will process personal data are added with at least 30 days' notice. We publish the change here and email customers who've opted in to product updates. If you object to a new subprocessor before it takes effect, you may terminate the Service and request deletion of your data without penalty.