Legal
Sub-processors
Last updated: 2026-05-23 · Version v1.0.0
EverCFO is operated by Celeste Business Advisors LLP (“EverCFO”, “we”, “our”, or “us”). This page lists every third-party sub-processor we engage to operate the EverCFO service, what data each receives, where the data is stored, and the data processing agreement that governs each relationship. It is the canonical record cross-referenced by our Privacy Policy section 3 and (when published) our Data Processing Addendum.
1. What a sub-processor is and why this list matters
A sub-processoris any third party we use to process customer personal data on our behalf in the course of providing EverCFO. Under GDPR Article 28 (and equivalent regulation elsewhere), every sub-processor must be bound by a data processing agreement (DPA) that imposes the same data protection obligations on the sub-processor that you have with us, and we remain liable to you for the sub-processor’s acts and omissions.
We publish this list (a) so business customers can complete their own vendor risk reviews, (b) so we can give material-change notice before adding or replacing a sub-processor, and (c) so every contractual statement we make about who processes your data is traceable to a single source of truth.
The list below is generated directly from src/data/subprocessors.ts in our codebase. Anything that ships into production is reconciled against this file. We currently engage 19 sub-processors (one of which, Plaid Inc., is disclosed forward-looking and only begins to process data once a tenant initiates a bank connection).
2. Current sub-processors
Sub-processors are grouped by function. Within each group, entries are ordered as they appear in our source-of-truth file. The “Last reviewed” column reflects the most recent date we verified the row against the deployed system (data categories, storage location, DPA URL).
Database
Hosting and infrastructure
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
Vercel Vercel Inc. | Frontend hosting and edge network |
| Global edge / Vercel infrastructure | Link | Link | 2026-05-22 |
Railway Railway Corp. | Backend hosting |
| United States | Link | Link | 2026-05-22 |
Cloudflare Cloudflare, Inc. | DNS and WAF |
| Global | Link | Link | 2026-05-23 |
Integrations and connectors
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
Nango Brokeur Inc. (Nango) | OAuth broker for connected third-party integrations |
| United States | Link | Link | 2026-05-22 |
Hookdeck Hookdeck Technologies Inc. | Inbound webhook routing |
| United States | Link | Link | 2026-05-22 |
Plaid Plaid Inc. | Bank account aggregation |
| United States (Plaid's US infrastructure) | Link | On request | 2026-05-22 |
AI models and inference
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
OpenRouter OpenRouter, Inc. | AI model routing layer |
| United States | Link | On request | 2026-05-22 |
Anthropic Anthropic PBC | AI model provider — Claude Sonnet 4.6 and Haiku 4.5 |
| United States | Link | Link | 2026-05-22 |
Google Google LLC | AI model provider — Gemini 3 Flash classifier |
| United States (Vertex AI) | Link | Link | 2026-05-22 |
OpenAI OpenAI, OpCo, LLC | Embedding model |
| United States | Link | Link | 2026-05-22 |
Observability and analytics
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
Langfuse Langfuse GmbH | LLM tracing and observability |
| United States (us.cloud.langfuse.com) | Link | Link | 2026-05-22 |
PostHog PostHog Inc. | Product analytics, session replay, and error tracking |
| United States | Link | Link | 2026-05-22 |
BetterStack Better Stack s.r.o. | Uptime monitoring and incident response |
| European Union (Czech Republic) | Link | Link | 2026-05-22 |
Background jobs and scheduling
Secrets management
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
Infisical Infisical Inc. | Secret management |
| United States | Link | On request | 2026-05-22 |
Email and communications
| Provider | Role | Data categories | Storage | Privacy policy | DPA | Last reviewed |
|---|---|---|---|---|---|---|
Google Workspace Google LLC | Company email infrastructure (primary inbox + aliases) |
| United States | Link | Link | 2026-05-23 |
Resend Resend Inc. | Transactional email delivery |
| United States | Link | Link | 2026-05-22 |
Payments and billing
3. How we vet and manage sub-processors
Before a sub-processor goes into production behind customer data, we verify each of the following:
- Written DPA in force.A data processing agreement (or equivalent contract) is executed with terms consistent with GDPR Article 28(3) — including processing only on documented instructions, confidentiality obligations, security measures, breach notification, deletion-or-return at end of service, and audit rights.
- Cross-border safeguards where required. Where the sub-processor processes EU or UK personal data outside the EEA / UK, the relevant Module Three Standard Contractual Clauses (or equivalent transfer mechanism) apply.
- Minimum-necessary data. Each sub-processor receives only the data categories listed in its row above. When we change what we send, we update this list and the privacy policy in the same release.
- Breach notification. Each sub-processor is contractually required to notify EverCFO of any personal data breach without undue delay, so that EverCFO can in turn notify affected customers in accordance with Privacy Policy section 11.
- Deletion on request. When a customer exercises a deletion or end-of-contract right, we propagate that instruction to sub-processors that hold copies of relevant data within the timelines stated in our Privacy Policy and Terms.
We review every sub-processor row in this list periodically and bump the “Last reviewed” date when the row is re-verified against the deployed system. A material change to a sub-processor (added role, expanded data categories, changed storage region, replacement provider) triggers a notification under section 4 below.
4. Notifications of material changes
Before adding a new sub-processor or making a material change to an existing one (for example, a change of storage region or expanded data categories), we will give business customers at least 30 days’ advance written notice. This commitment also appears in our Data Processing Addendum when published.
To receive material-change notifications, email privacy@evercfo.ai from the address associated with your EverCFO account and ask to be added to the sub-processor notification list. We do not yet offer an in-product subscription control; when we ship one, we will update this section.
You may object to a proposed new sub-processor for reasonable grounds related to data protection. If we cannot accommodate your objection within a reasonable period, you may terminate the affected portion of the service in accordance with our Terms of Service.
5. Contact
Questions about a specific sub-processor or about our sub-processor management program can be sent to our privacy contact at privacy@evercfo.ai. For the broader privacy program and full contact details, see Privacy Policy section 13.