Legal · Global · GDPR Art. 28

Sub-processors

Last updated: May 15, 2026

Draft — pending counsel review. This page is a good-faith summary of our practices; the legally binding text will be published here after qualified counsel in the relevant jurisdiction has approved the wording. For binding statements today, contact vamsy@qbridge.ai.

Public register of every third party we engage to process personal data on your behalf. We will notify Customers of new sub-processors at least 30 days before they begin processing data (SOC 2 Privacy P5; SCC Module 2/3 Clause 9). Customers on a paid plan may object within that window.

Active sub-processors

#	Sub-processor	Role	Residency	Contract	BAA
1	Supabase Inc.	Managed Postgres + Object Storage (audit ledger, regulatory artefacts)	us-east-1 (AWS)	DPA + SCC Modules 2 & 3	Available on Enterprise — required before HIPAA-covered customer
2	Fly.io, Inc.	API hosting (FastAPI service)	iad (Ashburn, VA, US)	DPA + SCC	Not applicable
3	Vercel Inc.	Web hosting (Next.js); httpOnly session cookie	Global edge + IAD origin (US)	DPA + SCC	Not applicable
4	Anthropic PBC	Claude API — AI-assisted drafting; zero-retention mode	US	DPA + SCC; zero-retention API default	Available on Enterprise — required before any PHI in prompts
5	Postmark (ActiveCampaign LLC)	Inbound + outbound transactional email (FDA correspondence)	US	DPA	Available on request — required if PHI in correspondence
6	Functional Software, Inc. (Sentry)	Error tracking (PII-scrubber enabled)	US	DPA + SCC	Not applicable
7	GitHub, Inc. (Microsoft)	Source-code hosting; CI	US	DPA + SCC	Not applicable
8	Amazon Web Services, Inc.	Underlying infrastructure for Supabase	us-east-1	Inherited via Supabase DPA	Inherited

Latent — agency gateways & legacy-system bridges

These appear in our integrations catalogue but process no customer data today. A given gateway becomes an active sub-processor for your tenant only when you sign the gateway-specific authorisation and queue a signed human-in-the-loop push. At that point this list is updated and the 30-day notice clause kicks in.

FDA CDRH Portal · Premarket
FDA Electronic Submissions Gateway (ESG)
FDA WebTrader
FDA userfees.fda.gov · MDUFA
EUDAMED · EU MDR / IVDR
Health Canada · MDALL
PMDA · Japan
TGA · Australia (ARTG)
HSA · Singapore
ANVISA · Brazil
COFEPRIS · Mexico
SAT · Mexico CFDI 4.0
Veeva Vault · QualityDocs
Veeva Vault · RIM Submissions
MasterControl Quality Excellence
Greenlight Guru · QMS
Microsoft SharePoint Online
Box · Enterprise
Egnyte · Compliance Cloud
SAP S/4HANA
Oracle NetSuite

How we notify you of changes

New sub-processor: 30-day advance notice via in-app banner and email to the workspace's principal contact.
Sub-processor incident affecting your data: notice within 72 hours of becoming aware (GDPR Art. 33) / without delay (LFPDPPP) / 60 days (HIPAA — but we honour the strictest applicable clock).

How to object

Customers on a paid plan may object to a new sub-processor within the 30-day notice window. If we cannot offer a reasonable alternative, you may terminate the affected service without penalty for the unused portion of your subscription.

Contact

Privacy enquiries: privacy@qbridge.ai. Sub-processor transparency questions can also be addressed there.

Privacy enquiriesprivacy@qbridge.ai

Privacy Aviso (ES)Sub-processors AI use Terms Cookies ← Back home