Legal

Sub processors

Last updated: June 2026 · This list is kept current. Customers are notified 30 days before any addition.

A subprocessor is a third party that re.fer engages to help deliver the service. Each one is reviewed for security posture and bound by contractual obligations that match the commitments in our DPA. Customers can subscribe to updates of this page by emailing privacy@userefer.app.

Supabase

Always in use

Primary database, authentication, and storage for the production application.

Location: United States (AWS us-east-1)DPA / security page →

Vercel

Always in use

Web application hosting, edge runtime, and static asset delivery.

Location: United States and global edge networkDPA / security page →

Upstash

Always in use

Redis-backed rate limiting and short-lived queue state.

Location: United StatesDPA / security page →

Resend

Always in use

Transactional email delivery for invites, verification, and alerts.

Location: United StatesDPA / security page →

Groq

Managed AI tier

LLM inference for Rehoboam summaries on demo and free-tier workspaces (fallback LLM).

Location: United StatesDPA / security page →

Prompts contain derived insight summaries only. Never raw collaboration content.

Mistral

Managed AI tier

LLM inference for Rehoboam summaries on demo and free-tier workspaces (EU-region fallback LLM).

Location: European Union (France)DPA / security page →

Used as the EU-region fallback. Prompts contain derived insight summaries only.

Anthropic

Managed AI tier

LLM inference for Rehoboam — managed Claude (Sonnet) for paid workspaces, and when a customer brings their own Anthropic key.

Location: United StatesDPA / security page →

Prompts carry derived insight summaries (people names, team names, edge counts), never raw message content. BYOK customers route through their own Anthropic key, which re.fer never sees.

OpenAI

BYOK only

LLM inference for Rehoboam, used only when an Enterprise customer enables Bring Your Own Key.

Location: United StatesDPA / security page →

Requests route through the customer’s own OpenAI account and key. re.fer does not see the key.

Ollama

BYOK only

Self-hosted LLM inference for Rehoboam, used only when an Enterprise customer points re.fer at a self-hosted Ollama endpoint.

Location: Customer-hostedDPA / security page →

Inference stays inside the customer’s own network. No data leaves the customer environment.

How changes are announced

When re.fer plans to add a new subprocessor, the customer’s primary admin receives an email at least 30 days in advance. The customer can object during that window. If we cannot resolve the objection, the customer may terminate the affected service for a pro-rata refund of any unused prepaid fees.

See also: Data Processing Agreement · Security whitepaper · Privacy