Subprocessors
Last updated:
About This List
Shiko uses third-party service providers ("subprocessors") to help deliver our service. Under GDPR Article 28, we are required to disclose these subprocessors and ensure they meet our data protection standards.
All subprocessors listed below have been vetted for security and privacy practices. Where applicable, we have Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) in place to protect your data.
Current Subprocessors
| Provider | Purpose | Location | DPA Status |
|---|---|---|---|
| Supabase | Database, Authentication, Real-time collaboration | US (Ohio) | GDPR DPA included, SCCs for EU transfers |
| Polar.sh | Payment processing, Subscription management | US | GDPR compliant |
| OpenAI | AI-powered features (suggestions, Q&A, content generation) | US | DPA available |
| Vercel | Application hosting, Edge functions, CDN | US (Global CDN) | GDPR DPA included |
| Resend | Transactional email delivery | US (N. Virginia) | GDPR compliant |
| Google OAuth | Social login authentication | US | SCCs available |
| GitHub OAuth | Social login authentication | US | SCCs available |
Data Processing Details
Supabase
- Purpose
- Database, Authentication, Real-time collaboration
- Location
- US (Ohio)
- Data Processed
- User accounts, mind maps, nodes, edges, comments, sessions
- Privacy Policy
- View →
- DPA Status
- GDPR DPA included, SCCs for EU transfers
Polar.sh
- Purpose
- Payment processing, Subscription management
- Location
- US
- Data Processed
- Email, name, billing information, payment history
- Privacy Policy
- View →
- DPA Status
- GDPR compliant
OpenAI
- Purpose
- AI-powered features (suggestions, Q&A, content generation)
- Location
- US
- Data Processed
- Node content sent for AI processing (not stored by OpenAI)
- Privacy Policy
- View →
- DPA Status
- DPA available
Vercel
- Purpose
- Application hosting, Edge functions, CDN
- Location
- US (Global CDN)
- Data Processed
- Application code, request logs, IP addresses
- Privacy Policy
- View →
- DPA Status
- GDPR DPA included
Resend
- Purpose
- Transactional email delivery
- Location
- US (N. Virginia)
- Data Processed
- Email addresses, email content for delivery
- Privacy Policy
- View →
- DPA Status
- GDPR compliant
Google OAuth
- Purpose
- Social login authentication
- Location
- US
- Data Processed
- Authentication tokens, email, name, profile picture
- Privacy Policy
- View →
- DPA Status
- SCCs available
GitHub OAuth
- Purpose
- Social login authentication
- Location
- US
- Data Processed
- Authentication tokens, email, username, profile picture
- Privacy Policy
- View →
- DPA Status
- SCCs available
Changes to Subprocessors
We may update our list of subprocessors from time to time. When we add a new subprocessor that processes personal data, we will:
- Update this page with the new subprocessor details
- Notify users by email at least 14 days before the change takes effect (for material changes)
- Ensure appropriate data protection agreements are in place
If you object to a new subprocessor, you may terminate your account before the change takes effect by contacting us.
Questions
If you have questions about our subprocessors or data processing practices, please contact us at support@shiko.app.
For business customers requiring a Data Processing Agreement (DPA), please contact us at the same email address.