New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Last updated: May 17, 2026 (v1.0)
This page lists the third-party service providers that CheckVibe engages as subprocessors to deliver the Service. The list is provided for transparency and as part of our data-protection commitments. It is incorporated by reference into our Privacy Policy and Data Processing Addendum.
Each subprocessor is engaged under contractual obligations consistent with applicable data-protection law, including, where required, European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. We share only the minimum data necessary for each subprocessor's function.
| Subprocessor | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
| Vercel Vercel Inc. | Web hosting, edge functions, CDN | Account identifiers, request logs, IP addresses, technical telemetry | United States (global edge) | SCCs / EU-U.S. Data Privacy Framework |
| Supabase Supabase Inc. | Authentication, primary database, file storage | Account data, scan data, integration tokens (encrypted), session data | United States / EU | SCCs / EU-U.S. Data Privacy Framework |
| Stripe Stripe, Inc. / Stripe Payments Europe Ltd. | Payment processing, subscription billing, invoicing | Billing email, country, postal code, payment-method metadata, transaction history | United States / Ireland | SCCs / EU-U.S. Data Privacy Framework |
| Resend Resend, Inc. | Transactional & outreach email delivery | Email address, email content, delivery metadata, IP of opens (where applicable) | United States | SCCs / EU-U.S. Data Privacy Framework |
| Google (Safe Browsing) Google LLC | Malicious-URL and phishing reputation lookup for scanned URLs | URLs submitted for reputation check (hashed where possible) | United States | SCCs / EU-U.S. Data Privacy Framework |
| Google (Gemini API) Google LLC | AI-assisted analysis of scan findings and content | Scan-finding text submitted for AI analysis (no Customer Content used for training) | United States / EU | SCCs / EU-U.S. Data Privacy Framework |
| GitHub (API) GitHub, Inc. (subsidiary of Microsoft Corp.) | Repository scanning (only when you connect a repository) | Repository metadata and contents you authorize, OAuth/PAT token (held by us, encrypted) | United States / EU | SCCs / EU-U.S. Data Privacy Framework |
| NIST National Vulnerability Database U.S. National Institute of Standards and Technology | Public CVE lookup for dependency and configuration scanning | Package names and versions submitted for CVE lookup | United States | Public-data lookup; no personal data shared |
| Sentry Functional Software, Inc. (Sentry) | Backend error monitoring & alerting (when enabled) | Error stacks, request metadata, user identifier (where attached) | United States / EU | SCCs / EU-U.S. Data Privacy Framework |
| PostHog PostHog Inc. | Product analytics inside the authenticated dashboard (when enabled) | Event metadata, account identifier, page paths | United States / EU | SCCs / EU-U.S. Data Privacy Framework |
| Cloudflare Cloudflare, Inc. | DNS, DDoS protection, edge caching (where deployed) | IP address, request metadata, TLS metadata | United States (global edge) | SCCs / EU-U.S. Data Privacy Framework |
We may add or replace subprocessors as needed to deliver, secure, or improve the Service. We will provide reasonable advance notice of new subprocessors that process personal data on behalf of customers, generally by updating this page. Business customers under a Data Processing Addendum may subscribe to notifications by emailing support@checkvibe.dev with the subject “Subprocessor Updates.”
Customers under our DPA may object in writing to a proposed new subprocessor on reasonable data-protection grounds. If objection cannot be resolved by appropriate measures, the customer may terminate the affected portion of the Service for convenience.
See also: Privacy Policy · DPA · Terms of Service
