Legal · Nadir Tech LLC
Subprocessors
Last updated: May 20, 2026
Comma uses a small number of third-party service providers (subprocessors) to operate the Service. Each vendor below has signed a Data Processing Addendum (DPA) with us or operates under terms that include equivalent contractual protections.
1. Current subprocessors
The following vendors may process personal data on our behalf. Customer-uploaded report content is stored only with Supabase (database) and Cloudflare R2 (assets); third parties below see only what is required for their stated purpose.
| Vendor | Purpose | Data processed | Region | Documents |
|---|---|---|---|---|
| Cloudflare, Inc. | Web application hosting (Workers), DNS, TLS termination, edge caching, DDoS protection, R2 object storage for report assets. | Request metadata (IP, user-agent, request path), TLS-terminated payloads, uploaded report assets (images, attachments). | Global edge network with primary control plane in the United States. Storage (R2) is region-pinned to North America (auto). | |
| Supabase, Inc. | Managed Postgres database (reports, comments, accounts, billing state), authentication, realtime websockets, file storage. | Account information, report HTML, comments, routine definitions and run history, encrypted connector secrets. | United States — AWS us-west-2 (Oregon). | |
| Amazon Web Services, Inc. (AWS Bedrock) | LLM inference for the report-generation agent. | Skill prompts and the connector data you choose to send to a routine. AWS does not use Bedrock inputs/outputs for training. | United States — AWS us-west-2 (Oregon). | |
| Stripe, Inc. | Payment processing, subscription management, metered billing. | Billing email, last-four card digits and country (full card data never reaches Comma), subscription state, usage-record line items. | Global; primary processing in the United States. | |
| PostHog, Inc. | Product analytics (page views, feature usage, anonymized session telemetry). | Pseudonymous user identifier, page paths, event names, coarse client metadata (device, browser, country derived from IP — IP is not stored). | United States — AWS us-east-1 (PostHog US Cloud). |
2. Where your data lives
Comma’s primary infrastructure runs in the United States (AWS us-west-2, Oregon). In normal operation customer report content, comments, account information, and routine run history do not leave the United States. Cloudflare’s edge network serves cached static assets and TLS termination globally; no customer-uploaded content is stored at the edge.
3. AI processing
When you run a routine, the skill prompt and the connector data you have bound to it are sent to AWS Bedrock for inference under AWS’s data-protection terms. AWS Bedrock does not use customer inputs or outputs to train any model. We do not send your data to any model provider beyond what is required to fulfil a routine you have explicitly triggered.
4. Notification of changes
We will update this page when a subprocessor is added, removed, or materially changes its role. Material additions are also announced through our changelog and (for paid customers) by email to the workspace owner at least 30 days before the new subprocessor begins processing customer data, so customers may object.
5. Requesting a Data Processing Addendum
We can sign a standalone DPA with you (covering GDPR, UK GDPR, and CCPA) — email info@getnadir.com and we will return one within two business days. The DPA references the list above and inherits the regional commitments on this page.