Sub-Processors
Last updated: April 17, 2026
CivicCA engages the third-party Sub-Processors listed below to deliver and operate the Service. Each Sub-Processor is bound by contract to data-protection obligations no less protective than those in our Data Processing Addendum. We provide at least 30 days' prior notice of any new Sub-Processor by updating this page and, for Government plan customers, by email to the procurement contact on file.
Subscribe to changes
Email sales@civicca.com with subject line "Sub-processor notifications" to be added to the change-notification list. Government plan customers are added by default.
Current Sub-Processors
| Sub-Processor | Purpose | Data location | Engaged since |
|---|---|---|---|
| Amazon Web Services, Inc. Seattle, WA, USA |
Cloud infrastructure: application hosting, database, object storage (S3), CDN, secrets management | USA (us-west-2 / us-east-1) | Founding |
| Anthropic, PBC San Francisco, CA, USA |
AI text processing — agenda summarization, plain-language rewriting, compliance analysis, AI chat (when enabled) | USA | Founding |
| AssemblyAI, Inc. San Francisco, CA, USA |
Audio transcription with speaker diarization (when meeting transcription is enabled) | USA | Founding |
| Stripe, Inc. San Francisco, CA, USA |
Subscription billing, payment-instrument storage, invoice delivery (PCI DSS Level 1) | USA | Founding |
| Resend, Inc. San Francisco, CA, USA |
Transactional email delivery — agenda notifications, reminders, password resets | USA | Founding |
| SignalWire, Inc. Palo Alto, CA, USA |
Voice / SMS infrastructure for outbound calls and notifications (when telephony features are enabled) | USA | Founding |
| Plausible Insights OÜ Tallinn, Estonia |
Privacy-friendly website analytics for marketing pages only — no cookies, no personal data, no tracking across sites | European Union | Founding |
| Cloudflare, Inc. San Francisco, CA, USA |
DNS, DDoS mitigation, Web Application Firewall, edge caching for marketing pages | Global anycast (data plane) | Founding |
What's not a Sub-Processor
The following are not Sub-Processors of Customer Personal Information under our DPA, but are listed for transparency:
- Customer-controlled integrations (e.g., the agency's chosen video platform, the agency's own email server) — these are direct Customer relationships;
- OAuth identity providers if Customer chooses SSO (Google Workspace, Microsoft Entra) — these are Customer-side identity infrastructure;
- Public-facing CDN-hosted assets (fonts, JavaScript libraries) on the public marketing pages — these do not receive Customer Personal Information.
Change history
- April 17, 2026 — Initial published Sub-Processor list.
All future additions, removals, or material changes will be appended here with the effective date.
Related: Data Processing Addendum · Security Overview · Privacy Policy.