Sub-Processors — Me Journal

Document control · Version 1.0 · Classification Confidential — Legal · Created 2026-05-02 · Last updated 2026-05-22 · Owner N (Astronero Ltd) · Next review 2026-11-18 · Location legal/SUB_PROCESSORS.md

| Version | Date | Author | Summary of change | |---|---|---|---| | 1.0 | 2026-05-22 | N / Claude | Doc-control header added; content pre-existing |

Last updated: 2026-05-02 Effective date: to be set when published Operator: Astronero Ltd (England & Wales)

DRAFT — pending solicitor review. This list represents Me Journal's current and planned sub-processors as of the date above. The certification and DPA URLs are accurate to the best of our knowledge at the time of writing — verify each before publishing live.

This page lists every third-party processor that handles Me Journal user data on our behalf, what they process, where, the legal basis for the transfer, and how to reach their Data Processing Agreement.

We notify users by email at least 30 days before adding a new sub-processor that handles personal data. Subscribe to the sub-processor change notice list to receive these notices.

Currently active (in production)

| # | Sub-processor | Role | Personal data we share | Location | Certifications | DPA | |---|---|---|---|---|---|---| | 1 | Convex, Inc. (USA) | Application backend (database, functions, storage) | All app data: journal entries, mood logs, gratitude entries, programme data, preferences, push subscription metadata, AI usage ledger | United States | SOC 2 Type II | https://www.convex.dev/legal/dpa | | 2 | Clerk, Inc. (USA) | Authentication, session management, user records | Email, name (optional), password hash (we never see plaintext), Clerk session tokens | United States | SOC 2 Type II | Available on request from Clerk's legal page | | 3 | Stripe Payments Europe Ltd (Ireland) for EU users; Stripe, Inc. (USA) for US users | Payment processing, subscription billing, fraud detection | Email, billing address, payment method (we never see full card numbers), subscription status, transaction history | EU + USA | PCI DSS Level 1; SOC 1 + 2; EU-US Data Privacy Framework + UK Extension + Swiss-US DPF certified | https://stripe.com/legal/dpa | | 4 | Vercel, Inc. (USA) | Web hosting, edge runtime, analytics (when user has consented) | Application logs (no personal-data content); pseudonymous user ID + page-view events when analytics consent given; service-worker assets | United States | SOC 2 Type II | https://vercel.com/legal/dpa | | 5 | Cloudflare, Inc. (USA + global) | R2 object storage for founder videos and meditation audio; CDN edge | Video / audio files (no personal-data content); access logs | Cloudflare global edge; primary storage US | SOC 2 Type II; ISO 27001 | https://www.cloudflare.com/cloudflare-customer-dpa/ |

Planned (not yet in production — listed for transparency)

The following sub-processors are referenced in the codebase but inert until N configures the relevant API keys. They will become active processors only after the keys land in production.

| # | Sub-processor | Role | Personal data we will share | Location | Certifications | DPA | |---|---|---|---|---|---|---| | 6 | Anthropic, PBC (USA) | LLM inference for AI features when activated (gratitude insights, monthly synthesis) | Selected user content (e.g. journal excerpts, gratitude entries) only when AI features are explicitly enabled by the user. Zero retention configured — Anthropic does not retain or train on Me Journal user content. | United States | SOC 2 Type II; ISO 27001 | https://privacy.claude.com/en/articles/7996862-how-do-i-view-and-sign-your-data-processing-addendum-dpa | | 7 | Beehiiv, Inc. (USA) | Newsletter and marketing email | Email address, name (optional), subscription tags (no journal content) | United States | SOC 2 (verify on Beehiiv trust page) | Available from Beehiiv's compliance team — request when configuring | | 8 | Resend, Inc. (USA) | Transactional email (welcome, password reset, monthly synthesis delivery) | Email address, message content (only the transactional message we send) | United States | SOC 2 Type II | https://resend.com/legal/dpa |

Data flows — what goes where

Per-user typical data flow

   USER BROWSER
        │
        │ HTTPS (TLS 1.2+)
        ▼
   ┌─────────────────────┐         ┌──────────────────────┐
   │   Vercel (USA)      │ ◀─────▶ │   Clerk (USA)        │
   │   — hosts Me        │  auth   │   — sessions, MFA    │
   │     Journal app     │         │   — user records     │
   └─────────┬───────────┘         └──────────────────────┘
             │
             │ Convex API
             ▼
   ┌─────────────────────────────────────────────────────────┐
   │   Convex (USA)                                          │
   │   — primary database (journal, mood, gratitude, ...)    │
   │   — server functions (queries, mutations, actions)      │
   │   — storage for audio (current) + cron schedules        │
   │   — encrypted at rest (AES-256)                         │
   └────────────┬────────────────────────────────────────────┘
                │
        ┌───────┼─────────────────┬──────────────────────┐
        │       │                 │                      │
        ▼       ▼                 ▼                      ▼
   ┌────────┐ ┌────────┐  ┌──────────────┐    ┌──────────────────┐
   │ Stripe │ │Cloud-  │  │ Anthropic    │    │ Beehiiv +        │
   │ EU+US  │ │flare R2│  │ (when LLM    │    │ Resend           │
   │ pay-   │ │video / │  │ features     │    │ (when configured)│
   │ ments  │ │audio   │  │ activated)   │    │ email surface    │
   │        │ │CDN     │  │ no retention │    │                  │
   └────────┘ └────────┘  └──────────────┘    └──────────────────┘

Key principles

• Voice transcription is NEVER sent off-device. The browser's Web Speech API runs on-device; only the transcribed text is sent to Convex. We do not use Whisper API or any server-side transcription.

• AI providers operate under zero-retention contracts. Anthropic is configured to NOT retain or train on Me Journal user content. This is enforced contractually via the Anthropic API workspace configuration.

• Payment data is minimised. We never see full card numbers — Stripe handles the entire card-on-file flow. We see only billing address, the masked card brand/last-4, and subscription state.

• Authentication credentials are minimised. Clerk handles password storage (bcrypt hashing) and session token management. We never see user passwords in plaintext, hashed or otherwise.

• No advertising or behavioural-tracking sub-processors. We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other behavioural-advertising or cross-site-tracking sub-processor.

International data transfer mechanisms

Several sub-processors are based in the United States. Personal data transferred to them outside the EU/UK is subject to UK GDPR + EU GDPR's data-transfer rules. Our reliance:

1. Stripe (Inc., USA), Vercel, Convex, Cloudflare, Anthropic, Resend, Beehiiv — primary basis is the EU Commission's Standard Contractual Clauses (SCCs) as included in their DPAs.
2. Stripe specifically is also certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework.
3. UK transfers rely on the UK Addendum to the SCCs where the processor offers it, or the UK International Data Transfer Agreement otherwise.
4. Supplementary measures in addition to the contractual mechanisms:
   • Encryption in transit (TLS 1.2+) and at rest (AES-256) across all sub-processors
   • Zero-retention configuration on AI providers
   • Minimisation of data sent to each sub-processor (only the fields strictly required for their function)
   • Convex's "data residency" option exists for EU-region storage when needed; we will move to the EU region if the volume of EU users justifies it (not yet at launch scale)

How we vet new sub-processors

Before any new sub-processor is added, we verify:

• DPA is in place (or can be signed) and incorporates the current SCCs as appropriate
• Security posture: SOC 2 Type II OR ISO 27001 certification preferred; documented security controls reviewed if not
• Data residency is acceptable for the data types involved
• Sub-processor's own sub-processor list is reviewed (chains matter — your processor's processor can be your weak link)
• Termination + data return / deletion clauses are reasonable
• Breach notification timeline is no slower than 72 hours

For each addition, we update this page and email all account holders at least 30 days in advance.

How we exit a sub-processor

When we end a sub-processor relationship:

1. We export all relevant data within the 30-day notice window
2. We confirm with the sub-processor that they have deleted (or anonymised) Me Journal user data per the DPA's data-return clause
3. We update this page within 30 days of the termination
4. We do NOT email users about termination per se — we only email for additions where their data goes to a NEW party

Article 28 GDPR compliance summary

UK GDPR + EU GDPR Article 28 requires controllers (us) to engage processors (the parties above) only under a written agreement that includes specific terms about subject matter, duration, nature, purpose, types of data, categories of data subject, obligations and rights, and procedures for breach + return / deletion + assistance with data subject rights.

Each DPA above contains those terms. Where a processor's standard DPA omits any element required by Article 28, we negotiate an addendum. Records of all signed DPAs are maintained internally as part of our Article 30 Records of Processing Activities (RoPA).

Contact

Questions about a specific sub-processor or data transfer:

• Email: privacy@me-journal.com
• Subject line: "Sub-processor query"

We respond within the 30-day window required by GDPR.

Sources

• Convex DPA
• Stripe DPA — DPA FAQ
• Vercel DPA
• Cloudflare DPA
• Anthropic DPA
• Resend DPA
• Beehiiv compliance — request DPA from compliance team
• EU Commission Standard Contractual Clauses
• UK Addendum to SCCs
• EU-US Data Privacy Framework