Legal

Sub-processors

Safety Harmonics uses the third-party service providers below to operate Anchor. This list describes each provider's purpose, the categories of data shared, and the maximum data classification approved for that provider.

Effective date: 2026-05-02
Last updated: 2026-05-02
Change notice: 30 days for material changes

Supabase

Used as the primary application data platform.

RESTRICTED

Purpose: Database, authentication-adjacent profile records, storage, and row-level security enforcement.
Data shared: Application database records, customer incident data, evidence metadata, profile records, and organization metadata.
Policies: Privacy policy DPA

Clerk

CONFIDENTIAL

Purpose: Authentication, identity management, organization membership, and session handling.
Data shared: User identity, email address, organization membership, authentication metadata, and session metadata.
Policies: Privacy policy DPA

Vercel

CONFIDENTIAL

Purpose: Hosting, serverless application infrastructure, web analytics, and performance insights.
Data shared: Application logs, deployment metadata, IP-derived request metadata, page view events, and performance telemetry.
Policies: Privacy policy DPA

Resend

CONFIDENTIAL

Purpose: Transactional email delivery.
Data shared: Recipient email address, email subject, transactional message body, delivery events, and bounce metadata.
Policies: Privacy policy DPA

PostHog

CONFIDENTIAL

Purpose: Product analytics, usage events, and product improvement telemetry.
Data shared: Usage events, user identity fields, organization identifiers, browser metadata, and event properties.
Policies: Privacy policy DPA

Anthropic API

Current direct AI inference provider. For HIPAA-covered deployments, the planned path is AWS Bedrock under an AWS BAA.

RESTRICTED

Purpose: AI inference for debrief, synthesis, root-cause analysis, learning extraction, and tagging workflows.
Data shared: AI feature inputs, including incident content, debrief transcripts, RCA context, and learning-related content.
Policies: Privacy policy

Processor	Purpose	Data shared	Max classification	Policies
Supabase Used as the primary application data platform.	Database, authentication-adjacent profile records, storage, and row-level security enforcement.	Application database records, customer incident data, evidence metadata, profile records, and organization metadata.	RESTRICTED	Privacy policy DPA
Clerk	Authentication, identity management, organization membership, and session handling.	User identity, email address, organization membership, authentication metadata, and session metadata.	CONFIDENTIAL	Privacy policy DPA
Vercel	Hosting, serverless application infrastructure, web analytics, and performance insights.	Application logs, deployment metadata, IP-derived request metadata, page view events, and performance telemetry.	CONFIDENTIAL	Privacy policy DPA
Resend	Transactional email delivery.	Recipient email address, email subject, transactional message body, delivery events, and bounce metadata.	CONFIDENTIAL	Privacy policy DPA
PostHog	Product analytics, usage events, and product improvement telemetry.	Usage events, user identity fields, organization identifiers, browser metadata, and event properties.	CONFIDENTIAL	Privacy policy DPA
Anthropic API Current direct AI inference provider. For HIPAA-covered deployments, the planned path is AWS Bedrock under an AWS BAA.	AI inference for debrief, synthesis, root-cause analysis, learning extraction, and tagging workflows.	AI feature inputs, including incident content, debrief transcripts, RCA context, and learning-related content.	RESTRICTED	Privacy policy

Material changes

Safety Harmonics will provide at least 30 days of advance notice before adding a new sub-processor or making a material change to how an existing sub-processor handles customer data, except where urgent security, legal, or service-continuity needs require a shorter timeline.