overskill overskill Trust Center
Back to OverSkill
Security Compliance AI Governance Status

Authorized Subprocessors

This page lists the third-party subprocessors that OverSkill engages to provide our services. We maintain contractual agreements with each subprocessor to ensure appropriate data protection.

Last updated: December 22, 2025

Subprocessor Purpose Location Compliance DPA
Render, Inc. Application hosting, infrastructure USA (Oregon, Frankfurt) SOC 2 Type II, ISO 27001 In place
Cloudflare, Inc. CDN, DDoS protection, edge computing (Workers) Global SOC 2 Type II, ISO 27001, PCI DSS In place
Stripe, Inc. Payment processing USA SOC 2 Type II, PCI DSS Level 1 In place
Supabase, Inc. Database hosting, authentication services USA SOC 2 Type II In place
Anthropic PBC AI model provider (Claude)
No personal data retention 		USA API Terms of Service N/A
Google Cloud AI model provider (Gemini) USA SOC 2 Type II, ISO 27001 In place
GitHub, Inc. Code repository backup (optional) USA SOC 2 Type II In place
Apple Inc. Push notification delivery (APNs)
Device tokens only 		USA Platform API Terms N/A

Render, Inc.

DPA

Purpose: Application hosting, infrastructure

Location: USA (Oregon, Frankfurt)

Compliance: SOC 2 Type II, ISO 27001

Cloudflare, Inc.

DPA

Purpose: CDN, DDoS protection, edge computing (Workers)

Location: Global

Compliance: SOC 2 Type II, ISO 27001, PCI DSS

Stripe, Inc.

DPA

Purpose: Payment processing

Location: USA

Compliance: SOC 2 Type II, PCI DSS Level 1

Supabase, Inc.

DPA

Purpose: Database hosting, authentication services

Location: USA

Compliance: SOC 2 Type II

Anthropic PBC

Purpose: AI model provider (Claude)

Location: USA

Compliance: API Terms of Service

No personal data retention

Google Cloud

DPA

Purpose: AI model provider (Gemini)

Location: USA

Compliance: SOC 2 Type II, ISO 27001

GitHub, Inc.

DPA

Purpose: Code repository backup (optional)

Location: USA

Compliance: SOC 2 Type II

Apple Inc.

Purpose: Push notification delivery (APNs)

Location: USA

Compliance: Platform API Terms

Device tokens only

Subprocessor Update Policy

In accordance with our Data Processing Agreement and GDPR requirements:

  • We will provide 30 days' advance written notice before engaging any new subprocessor.
  • Customers may object to new subprocessors within the notice period by identifying specific, material data protection concerns.
  • If an objection cannot be resolved, affected customers may terminate without penalty.
  • All subprocessors must meet our security standards (SOC 2 or ISO 27001 preferred).

Pre-Approved Categories

Our Data Processing Agreement authorizes subprocessors in the following categories, provided they meet our security standards:

Cloud infrastructure & hosting
Database & storage providers
AI model providers
Security monitoring
Payment processing
Customer support

Subscribe to Subprocessor Updates

Receive notifications when we add or change subprocessors, as required by your Data Processing Agreement.

Subscribe to Updates