Current subprocessors

Each entry below covers the vendor's role in our pipeline, the categories of data we send it, the region it processes in, and a link to the vendor's published privacy or data-processing documentation. For the full CPRA category mapping, see §2 of the Privacy Policy; for the broader security posture, see the Security and data handling page.

Anthropic

  • Purpose. Large language model service that reads disclosure-packet text and drafts the buyer brief.
  • Data categories. Disclosure-packet content (CC&Rs, bylaws, reserve study, audited financials, board minutes, architectural records, litigation disclosures), which commonly contains third-party Identifiers (homeowner and board-member names, addresses) and Professional or employment-related information. No customer billing data. No order-confirmation contact details beyond what is needed to attribute the analysis run.
  • Processing region. United States.
  • Privacy / DPA reference. anthropic.com/legal/privacy

Cloudflare

  • Purpose. Web hosting, content delivery network, Distributed Denial of Service (DDoS) protection, R2 object storage for uploaded packets and generated briefs, and Turnstile bot protection on the public contact form.
  • Data categories. Uploaded disclosure packets (stored encrypted at rest in a private R2 bucket), generated brief PDFs, request metadata (Internet Protocol address, timestamps, user agent), and routine web-server logs. For Turnstile, browser and device signals from contact-form visitors, used only to separate real people from automated abuse.
  • Processing region. Primary region: United States. Cloudflare operates a global edge network; packet storage is regionally pinned to the US.
  • Privacy / DPA reference. cloudflare.com/privacypolicy

Railway

  • Purpose. Backend pipeline infrastructure that runs the extraction, analysis, and brief-rendering workers.
  • Data categories. Packet content read transiently from R2 during a brief-generation run, plus operational telemetry (process timings, memory, error logs). Nothing intermediate persists on a worker filesystem.
  • Processing region. United States.
  • Privacy / DPA reference. railway.com/legal/privacy

Stripe

  • Purpose. Payment processing for single-brief orders and brokerage seat-license subscriptions.
  • Data categories. Customer name, email, billing address (collected by Stripe at checkout), payment-card tokens. Stripe tokenizes the card; HOA Notes never sees or stores a full card number. Transaction amounts and receipt records.
  • Processing region. United States.
  • Privacy / DPA reference. stripe.com/privacy · stripe.com/legal/dpa

Resend

  • Purpose. Transactional email delivery (order confirmations, brief-delivery notifications with the unique brief URL, billing receipts) on a verified sub-domain.
  • Data categories. Recipient email address, sender metadata, message subject and body. Packet content and brief content never transit Resend; emails carry order identifiers and a link to the brief hosted on our storage.
  • Processing region. United States.
  • Privacy / DPA reference. resend.com/legal/privacy-policy · resend.com/legal/dpa

HubSpot

  • Purpose. Customer-relationship records for active customers (contact info, brief-request history, brokerage seat-license admin contact).
  • Data categories. Customer Identifiers and Commercial information (name, work email, brokerage affiliation, order history, lifecycle stage). No packet content. No third-party Identifiers from inside packets.
  • Processing region. United States.
  • Privacy / DPA reference. legal.hubspot.com/privacy-policy · legal.hubspot.com/dpa

Sentry

  • Purpose. Error monitoring and stack-trace capture for the application and pipeline workers, so we can fix bugs.
  • Data categories. Technical error context (stack traces, request paths, environment metadata, release identifiers), order identifier where present for correlation. No packet content. No brief content. Personally identifying values are not intentionally sent and are scrubbed where they appear.
  • Processing region. United States.
  • Privacy / DPA reference. sentry.io/privacy · sentry.io/legal/dpa

Plausible Analytics

  • Purpose. Aggregate web analytics on the public marketing site (hoanotes.com): pageviews per URL and a small number of named conversion events (sample-brief downloads, /order clicks, /brokerage clicks, contact-form submissions, navigation from /hoa/* SEO pages to /order, and pageviews of the post-payment confirmation pages at /order/success and /brokerage/success). Used to understand which pages convert. Cookieless and privacy-preserving by design. The customer-facing brief application at briefs.hoanotes.com, the packet-upload step, and the brokerage admin portal are not instrumented with Plausible.
  • Data categories. Page URL (path; query parameters discarded except marketing campaign tags such as utm_source), HTTP referrer, browser and version, operating system, device class, country-region-city derived from the Internet Protocol address. The Internet Protocol address itself is not stored. A daily-rotating salted hash is used in place of cookies; the salt rotates every 24 hours, preventing cross-day visitor identification. No packet content. No customer Identifiers. No third-party Identifiers from inside packets.
  • Processing region. European Union. Plausible Insights OÜ is incorporated in Estonia; servers are owned and operated by European infrastructure providers within the EU.
  • Privacy / DPA reference. plausible.io/data-policy · plausible.io/dpa

How we change this list

Notice before adding a new subprocessor. Before HOA Notes engages a new subprocessor that will process customer information or packet content, we update this page and notify active customers by email at least 30 days in advance, with the vendor name, purpose, data categories it will receive, and processing region. Active customers who object on substantiated grounds may terminate their active engagement without further obligation prior to the new subprocessor going live; see §4 of the Privacy Policy and the termination provisions in the Terms.

Removing or replacing a subprocessor. If we discontinue a vendor or replace it with another, this page is updated with the change. Removals are not pre-announced, but the change is reflected here within five business days.

No sale or share. None of the vendor relationships above are "sales" or "shares" of personal information as those terms are defined under California Civil Code §§1798.140(ad) and 1798.140(ah). They are service-provider relationships under §1798.140(ag).

Last reviewed: May 31, 2026.

Questions, due-diligence requests, or objections

If your brokerage's procurement process needs vendor-specific documentation (a SOC 2 report, a signed DPA, a security questionnaire response) or you want to object to a planned subprocessor, reach us through the contact form with subject "subprocessors." We acknowledge within one business day and respond substantively within five business days.