Subprocessors
SentraCheck uses a small number of third-party services to deliver our document compliance platform. This page lists every subprocessor that may process customer data, the categories of data they receive, and where they process it.
Active subprocessors
| Subprocessor | Purpose | Categories of data | Processing location |
|---|---|---|---|
| Amazon Web Services, Inc. Infrastructure · ISO 27001 / SOC 2 / FedRAMP High | Application hosting, compute, object storage, encrypted databases, network and DDoS protection. | Customer documents (transient, processed in memory and deleted on completion); scan findings & redaction artifacts; user account data; audit logs. | United States · us-west-1 (N. California). Region-locked. No cross-region replication. |
| Anthropic, PBC AI processing · SOC 2 Type II | Document understanding, PII detection, ADA / WCAG analysis, and PDF → HTML conversion via the Claude API. | Document content sent for analysis. Anthropic does not retain or train on Claude API inputs by default. Customers using BYOK may configure additional restrictions in their own Anthropic account. | United States. SentraCheck routes API calls through Anthropic’s US endpoints. |
| Stripe, Inc. Payment processing · PCI DSS Level 1 | Subscription billing, credit-card and ACH processing, invoice management for self-serve plans. | Billing contact name and email, billing address, payment-method tokens. SentraCheck never receives full card numbers. | United States. |
| Cloudflare, Inc. Edge security · SOC 2 Type II / ISO 27001 | DNS, TLS termination, DDoS mitigation, bot management for sentracheck.com and customer-facing endpoints. | Connection metadata (IP address, user agent, request URL, timestamp). No document content. No request bodies stored. | Global edge; processing nearest to the requester. Origin in US-only. |
| Clerk, Inc. Authentication · SOC 2 Type II / HIPAA | User authentication, session management, MFA, SSO (Microsoft Entra, Google Workspace), password & passkey handling. | User email, name, password hash (Clerk-managed, never seen by SentraCheck), session tokens, MFA factors, OAuth identity-provider tokens. SentraCheck never stores raw passwords. | United States. |
| Resend, Inc. Transactional email · SOC 2 Type II | Account, billing, scan-completion, and security notification emails. | Recipient email address, message body (sender identity, subject, content of the notification). | United States. |
BYOK customers (bring your own Anthropic key)
Customers using BYOK provide their own Anthropic API key. In that configuration, document content is sent directly to the customer’s Anthropic account under the customer’s own commercial terms with Anthropic. SentraCheck does not see, log, or retain those API requests beyond standard SentraCheck audit metadata (who, when, which document, which module). The data-protection terms between the customer and Anthropic apply directly.
Data residency & sovereignty
All persistent customer data — accounts, scan findings, redaction artifacts, audit logs — is stored exclusively in AWS us-west-1 (N. California). Documents themselves are processed in memory and permanently deleted within seconds of result delivery; SentraCheck does not retain document content beyond the active scan window.
For California public agencies bound by AB 1456 / Government Code § 11546.7 data-residency requirements, SentraCheck’s region-locked architecture satisfies in-state processing expectations. Federal customers requiring FedRAMP-equivalent controls should request the Enterprise tier (dedicated infrastructure available).
Removed / former subprocessors
None at this time. Any future removals will be documented here with the date of removal and the reason.
Questions?
Email security@sentracheck.com with subprocessor questions, change-notification subscription requests, or to receive our Data Processing Agreement template at sentracheck.com/dpa.html.