Legal

Subprocessors

Last updated June 10, 2026

This page lists the subprocessor and provider categories Enstate Labs uses or may enable to operate Enping.

How to read this list

Enstate Labs uses subprocessors to provide, secure, support, bill, and improve Enping. This list reflects Enping's current architecture and production configuration. Customer-enabled integrations are listed separately because they are systems selected or authorized by the customer, even though Enping may transmit data to them at the customer's instruction.

Better Auth is used by Enping as application authentication software running inside the Convex-hosted backend and related app code. It is not listed as a separate hosted subprocessor unless Enstate Labs later enables a distinct third-party authentication service that processes personal data outside the existing hosting and backend subprocessors.

This page supports the Data Processing Agreement. It is not a substitute for a signed DPA, security review, transfer impact assessment, or customer-specific order form where one is required.

Convex

Core production subprocessor.

Purpose: Hosted backend platform, database, real-time infrastructure, server-side functions, HTTP actions, and file storage.
Data involved: Account, workspace, organization, customer, project, site, feedback, widget submission, reviewer access, comment, activity, audit, billing snapshot, and storage metadata handled by the Service.
Location: United States-hosted Convex deployment for Enping production data, with provider-operated infrastructure and support locations as described by Convex.

Vercel

Core hosting subprocessor for the web application.

Purpose: Web app hosting, routing, TLS, CDN, deployment infrastructure, availability, and security logs for the Enping dashboard and public site.
Data involved: IP addresses, request metadata, device/browser metadata, limited account or workspace identifiers in URLs or logs where applicable, and operational diagnostics needed to serve and secure the Service.
Location: Provider-operated regions; request routing may depend on visitor location and deployment configuration.

Polar

Enabled for paid plans and billing workflows.

Purpose: Billing, subscriptions, checkout, customer portal, metering, and payment workflows.
Data involved: Billing contact details, customer IDs, subscription status, plan metadata, invoice/payment metadata, and usage counters. Private feedback payloads should not be sent in Polar metadata.
Location: Provider-operated regions.

OpenRouter and downstream model providers

Optional AI subprocessor; used only when AI-powered features are enabled.

Purpose: AI gateway, model routing, feedback triage, classification, summarization, and workflow assistance.
Data involved: Feedback title, message, URL/page context, structured feedback metadata, prompts, model context, and AI outputs when AI features are enabled for a workspace.
Location: Provider-operated regions; downstream model provider location may vary by model.

Resend

Transactional email subprocessor for email features.

Purpose: Transactional email, invitations, notifications, verification, and support communications.
Data involved: Email addresses, names where provided, message metadata, invitation context, and transactional email content.
Location: Provider-operated regions.

Customer-enabled integrations

Customer-directed recipients; not used unless enabled or authorized by the customer.

Purpose: GitHub, webhooks, APIs, and other systems connected or authorized by the customer.
Data involved: Feedback content, issue metadata, comments, labels, status, links, repository/project identifiers, and integration credentials or tokens where required by the customer-selected integration.
Location: Controlled by the customer-selected integration provider.

Change notices and objections

Enstate Labs may add or replace subprocessors where reasonably necessary to operate, secure, maintain, or improve Enping. Provider entries marked optional or customer-directed process personal data only when the relevant feature or customer integration is enabled. If a change is material, Enstate Labs will provide notice through the Service, email, this page, or another reasonable channel. Customers may object on reasonable data protection grounds according to their agreement or DPA.

Contact

Questions about subprocessors or data protection can be sent to privacy@enping.app.