Sub-processors
Last updated 2026-05-24
A sub-processor is any third-party SaaS or cloud vendor that processes personal data on SpectraQC's behalf in the course of delivering the service. This list is exhaustive for production.
Right of objection (Article 28(2) GDPR) is preserved at all times — email dpo@spectraqc.io if you wish to object to a sub-processor on this list.
| Sub-processor | Purpose | Data | Region | Transfer |
|---|---|---|---|---|
| Amazon Web Services | Compute, storage, DDB, transcription, email | All customer media + reports + account email | EU (eu-west-1) | EU-only; AWS DPA + EU SCCs |
| Anthropic, PBC | Vision analysis of decoded video frames | Decoded frame bytes only (no audio, no filename) | United States | EU SCCs; Anthropic DPA |
| Vercel | Hosting of the Next.js frontend + marketing site | HTTP request metadata; no QC content | EU + global edge | EU SCCs; Vercel DPA |
| Clerk | Authentication + organisation membership | Email, name, password hash, session metadata | United States | EU SCCs; Clerk DPA |
| Stripe | Subscription billing + payment processing | Customer email, billing address, card token (not number) | EU + US | EU SCCs; Stripe DPA |
| Slack | Customer-configured QC notifications | Job IDs + summary text (user-controlled) | United States | EU SCCs; Slack DPA |
Anthropic — additional disclosure
QC analysis of submitted video uses Anthropic's Claude API. We send decoded RGB frame bytes (1–60 frames depending on duration and check class) plus a prompt describing the broadcast standard being checked. No audio, no transcript, no original filename, no customer identifier accompanies the request.
Opt-out: customer orgs can be flagged allow_third_party_ai = false, in which case the Claude vision calls are skipped entirely for that org's jobs and the affected checks emit severity: skipped with failure_kind: org_opt_out_third_party_ai. All non-vision checks (audio, codec, metadata, signal-range, PSE, etc.) continue to run normally. Email dpo@spectraqc.io to have the flag set on your org.
Internal tools
We also use Atlassian (Jira/Confluence — EU-hosted) for engineering ticketing and GitHub (US) for source code. Neither receives customer-uploaded media or QC outputs.
Questions: dpo@spectraqc.io.