Subprocessors

Who else processes your data.

Last updated: 2026-05-04

To run Taxottic we rely on a short, vetted list of vendors. We do not engage a new subprocessor without first reviewing their security practices and data-protection commitments. We update this page when we add or change a vendor and announce material changes in-app at least 30 days before they take effect.

Vercel

Their privacy notice ↗
Role
Hosting + CDN for the Taxottic web app.
Data processed
HTTP request metadata, IP at request time (not stored long-term).
Region
United States (global edge for static assets).
Certifications
SOC 2 Type II, ISO 27001, GDPR-aligned DPA.

Supabase

Their privacy notice ↗
Role
Postgres database, authentication, storage of user files.
Data processed
All application data (tax profiles, expenses, conversations, bank metadata).
Region
United States (AWS us-east-1).
Certifications
SOC 2 Type II, HIPAA-eligible, GDPR-aligned DPA.

Plaid

Their privacy notice ↗
Role
Bank connectivity, transaction sync.
Data processed
Bank account ID, transaction merchant + date + amount, institution name. Bank credentials are entered into Plaid's UI and never reach Taxottic.
Region
United States.
Certifications
SOC 2 Type II, ISO 27001:2013, AICPA SOC for Service Organisations.

Anthropic

Their privacy notice ↗
Role
Powers Bella, our in-app AI tax guide.
Data processed
Messages you send to Bella + minimal account context (display name, plan tier).
Region
United States.
Certifications
SOC 2 Type II. Enterprise agreement: zero data retention for training.

Stripe

Their privacy notice ↗
Role
Subscription billing for paid tiers.
Data processed
Email, billing address, last-four card digits via Stripe-hosted checkout. Full card numbers never reach Taxottic.
Region
United States.
Certifications
PCI DSS Level 1, SOC 1 / SOC 2 Type II, ISO 27001.

Google

Their privacy notice ↗
Role
Optional sign-in via Google OAuth.
Data processed
Name, email, profile photo from the openid email profile scopes.
Region
United States.
Certifications
ISO 27001, SOC 2/3, FedRAMP.

Microsoft

Their privacy notice ↗
Role
Optional sign-in via Microsoft Identity Platform.
Data processed
Name, email, profile photo from the openid email profile scopes.
Region
United States and EU (per Microsoft's regional model).
Certifications
SOC 1/2/3, ISO 27001, FedRAMP.

Want a Data Processing Agreement (DPA)? See our standard template at /legal/dpa, or write to privacy@taxottic.com.