Subprocessor List
Last updated: 19 April 2026
1. About this list
ACERA LABS uses the following third-party subprocessors to deliver the Acera analytics service. All subprocessors are bound by data protection obligations at least equivalent to Acera's obligations to its clients.
We will notify clients of any material changes to this list (addition of a new subprocessor that affects the processing of their personal information) at least 14 days before the change takes effect, where practicable.
2. Current subprocessors
| Subprocessor | Role | Location | Data protection basis |
|---|---|---|---|
| Anthropic, Inc. | AI model inference. Acera's agent layer runs on Claude models via the Anthropic API. Client data is not used to train models. | United States | Anthropic API data handling policy; Acera-Anthropic DPA |
| Supabase, Inc. | Managed PostgreSQL. All structured application data, account data, and uploaded datasets. | Australia (ap-southeast-2, Sydney) | Supabase DPA; AWS ap-southeast-2 data residency |
| Fly.io, Inc. | Cloud hosting and compute for the Acera frontend and API. | Australia (Sydney region, syd) | Fly.io DPA |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, and Turnstile bot protection. No raw form content or uploaded data content. | Global edge; origin in Australia | Cloudflare DPA |
| Stripe, Inc. | Payment processing. Acera never holds raw card data. | United States / Ireland (Stripe Payments Europe for EU clients) | Stripe Privacy Policy; PCI-DSS compliant |
| PostHog, Inc. | Product analytics. Usage events, page views, anonymised session identifiers. | EU Cloud (preferred) | PostHog DPA |
| Functional Software, Inc. (Sentry) | Error monitoring and crash reporting. Personal data scrubbed from error payloads. | United States | Sentry DPA |
| Zoho Corporation | Transactional and operational email for Acera's outbound mail. | Global | Zoho Privacy Policy; Zoho DPA on request |
| Doppler, Inc. | Secrets management. API keys and credentials only. No customer personal data. | United States | Doppler Privacy Policy |
| GitHub, Inc. (Microsoft) | Source code hosting and CI/CD. No customer personal data in the repository. | United States | GitHub DPA (Microsoft Products and Services DPA) |
3. International data transfers
Several subprocessors are located outside Australia. Acera takes the following steps to ensure personal information is protected in cross-border transfers:
| Subprocessor | Transfer basis (AU APP 8) | Transfer basis (GDPR) |
|---|---|---|
| Anthropic (US) | Contractual obligations; Anthropic API data handling policy | Standard Contractual Clauses |
| Cloudflare (global) | Contractual obligations; Cloudflare DPA | Standard Contractual Clauses |
| Stripe (US/IE) | Contractual obligations; Stripe DPA; PCI-DSS | Standard Contractual Clauses |
| PostHog (EU) | EU hosting preferred | EU-hosted instance avoids SCCs requirement |
| Sentry (US) | Contractual obligations; Sentry DPA | Standard Contractual Clauses |
| Zoho (global) | Contractual obligations; Zoho DPA | Standard Contractual Clauses |
| Doppler (US) | No customer personal data transferred | N/A |
| GitHub (US) | No customer personal data transferred | N/A |
4. Change log
| Date | Change | Clients notified |
|---|---|---|
| 19 April 2026 | Initial published list | N/A — pre-launch |
5. Contact
Questions about this subprocessor list: privacy@aceralabs.com.au