Our Vendor Commitment
At Cleft, we carefully select third-party vendors who share our commitment to data protection and user privacy. This page provides complete transparency about all 37 vendors we work with.Last Updated: September 10, 2025
Effective: September 10, 2025
Effective: September 10, 2025
All vendors meet our strict data protection standards and comply with GDPR, CCPA, and other applicable privacy regulations.
Vendor Overview
Vendors Handling Personal Data
19 vendors process personal identifiable information (PII)These vendors handle customer data like notes, account info, or payment details. All have signed Data Processing Agreements.
Business Operations Only
18 vendors handle no personal customer dataThese vendors support our business operations, marketing, and development but never access your personal information.
Vendors Processing Personal Data
High Privacy Standards: These 19 vendors handle personal identifiable information (PII) and are subject to our strictest data protection requirements.
Cloud Infrastructure & Data Processing
Amazon Web Services (AWS)
Amazon Web Services (AWS)
Services: Hosting and managing cloud infrastructure
PII Handling: β Yes - Hosts encrypted user data
Data Centers: EU, Global (multiple locations)
HQ: Seattle, Washington, USA
Links: Homepage | Privacy | DPAWhat They Access: Secure hosting infrastructure only. AWS provides encrypted storage but cannot access your actual notes or content.
PII Handling: β Yes - Hosts encrypted user data
Data Centers: EU, Global (multiple locations)
HQ: Seattle, Washington, USA
Links: Homepage | Privacy | DPAWhat They Access: Secure hosting infrastructure only. AWS provides encrypted storage but cannot access your actual notes or content.
Apple
Apple
Services: Developing and distributing applications through the Apple ecosystem
PII Handling: β Yes - App Store account data and on-device processing
Data Centers: Global (multiple locations)
HQ: Cupertino, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Whisper transcription model runs locally on your device. Apple handles App Store transactions but doesnβt access your Cleft content.
PII Handling: β Yes - App Store account data and on-device processing
Data Centers: Global (multiple locations)
HQ: Cupertino, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Whisper transcription model runs locally on your device. Apple handles App Store transactions but doesnβt access your Cleft content.
Cloudflare
Cloudflare
Services: CDN, DNS, and DDoS protection services
PII Handling: β Yes - Website traffic and DNS queries
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Website traffic patterns and DNS queries only. No access to Cleft content or user data.
PII Handling: β Yes - Website traffic and DNS queries
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Website traffic patterns and DNS queries only. No access to Cleft content or user data.
AI Processing Partners
OpenAI
OpenAI
Services: Primary LLM provider for note enhancement
PII Handling: β Yes - Processes transcript text only
Data Centers: Not specified
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Transcript text only (never audio) for AI processing. Your data is never used for model training.
PII Handling: β Yes - Processes transcript text only
Data Centers: Not specified
HQ: San Francisco, California, USA
Links: Homepage | Privacy | DPAWhat They Access: Transcript text only (never audio) for AI processing. Your data is never used for model training.
Groq
Groq
Services: Backup LLM provider to ensure service reliability
PII Handling: β Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: Mountain View, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Alternative AI processor for text enhancement. Same privacy protections as OpenAI.
PII Handling: β Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: Mountain View, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Alternative AI processor for text enhancement. Same privacy protections as OpenAI.
Anthropic
Anthropic
Services: Additional AI processing capabilities
PII Handling: β Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Processes transcript text for note enhancement. Strict no-training policy on user data.
PII Handling: β Yes - Processes transcript text only
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Processes transcript text for note enhancement. Strict no-training policy on user data.
Payment & Billing
Stripe
Stripe
RevenueCat
RevenueCat
Services: Managing in-app subscriptions and purchases
PII Handling: β Yes - Subscription data and analytics
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Subscription management and analytics. No access to your notes or content.
PII Handling: β Yes - Subscription data and analytics
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Subscription management and analytics. No access to your notes or content.
Revolut Business
Revolut Business
Customer Management & Communications
HubSpot
HubSpot
Mailerlite
Mailerlite
Services: Conducting email marketing campaigns
PII Handling: β Yes - Email addresses for marketing (opt-in)
Data Centers: Global (multiple locations)
HQ: Vilnius, Lithuania
Links: Homepage | Privacy | TermsWhat They Access: Email addresses for newsletter delivery only (opt-in). No access to personal content.
PII Handling: β Yes - Email addresses for marketing (opt-in)
Data Centers: Global (multiple locations)
HQ: Vilnius, Lithuania
Links: Homepage | Privacy | TermsWhat They Access: Email addresses for newsletter delivery only (opt-in). No access to personal content.
Business Intelligence & Monitoring
Google Workspace
Google Workspace
Metabase
Metabase
1Password
1Password
Services: Team password management and secure credential storage
PII Handling: β Yes - Internal team credentials and access management
Data Centers: EU
HQ: Toronto, Ontario, Canada
Links: Homepage | Privacy | TermsWhat They Access: Internal team passwords and credentials only. No customer data or personal information.
PII Handling: β Yes - Internal team credentials and access management
Data Centers: EU
HQ: Toronto, Ontario, Canada
Links: Homepage | Privacy | TermsWhat They Access: Internal team passwords and credentials only. No customer data or personal information.
Sentry
Sentry
Website & Design Services
Webflow
Webflow
Services: Designing and hosting our public-facing website and forms
PII Handling: β Yes - Website form submissions
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Website contact forms and landing page interactions only.
PII Handling: β Yes - Website form submissions
Data Centers: Global (multiple locations)
HQ: San Francisco, California, USA
Links: Homepage | Privacy | TermsWhat They Access: Website contact forms and landing page interactions only.
SoFriendly
SoFriendly
Scheduling & Automation
Fillout
Fillout
Business Operations Vendors
No Personal Data: These 18 vendors support our business operations, marketing, and development but never access your personal information or content.
Social Media & Marketing
Facebook/Meta
Facebook/Meta
Instagram
LinkedIn
X (Twitter)
X (Twitter)
Threads
Threads
Mastodon
Mastodon
Development & Collaboration
GitHub
GitHub
Slack
Slack
Documentation & Content
Mintlify
Mintlify
Screen Studio
Screen Studio
Services: Product video creation
PII Handling: β No - Video production only
Links: Currently no website listed
PII Handling: β No - Video production only
Links: Currently no website listed
Media & Podcast
Transistor
Transistor
Analytics (Anonymous Only)
Fathom Analytics
Fathom Analytics
TelemetryDeck
TelemetryDeck
Services: In-app anonymous analytics and performance monitoring
PII Handling: β No - Anonymous analytics only (no PII passed)
Data Centers: EU (Germany)
HQ: WΓΌrzburg, Germany
Links: Homepage | Privacy | TermsWhat They Track: Anonymous app usage patterns and performance metrics only. Zero personal information.
PII Handling: β No - Anonymous analytics only (no PII passed)
Data Centers: EU (Germany)
HQ: WΓΌrzburg, Germany
Links: Homepage | Privacy | TermsWhat They Track: Anonymous app usage patterns and performance metrics only. Zero personal information.
Vendor Data Practices
Data Retention
Data Retention
Our vendors are contractually required to:
- Retain data only as long as necessary for service delivery
- Delete data upon our request
- Follow the same data retention policies we maintain
Data Security
Data Security
All vendors must:
- Encrypt data in transit and at rest
- Maintain SOC 2 Type II compliance or equivalent
- Undergo regular security audits
- Report any security incidents within 24 hours
Data Access
Data Access
Vendor access to your data is:
- Limited to whatβs necessary for service delivery
- Logged and monitored
- Subject to strict confidentiality agreements
- Never used for vendorβs own purposes
- Detailed above for each specific vendor
Vendor Selection Process
We maintain strict criteria when selecting third-party vendors to ensure the highest level of data protection:- Privacy Standards: GDPR, CCPA, and international privacy law compliance
- Security Certifications: We prefer and prioritize vendors who align with the following certifications:
- SOC 2 Type II compliance
- ISO 27001 certification
- Other recognized industry security standards
- Data Processing Agreements: Clear contractual obligations about data handling
- Incident Response: Proven track record of security and transparency
- Business Continuity: Financial stability and reliable service delivery
Our Commitment: We actively seek vendors with the strongest security posture and will migrate to more secure alternatives when they become available.
Data Processing & Vendor Compliance
Vendor DPA Requirements
We ensure all vendors handling personal data have appropriate data protection measures:-
DPA Verification: We verify that vendors have comprehensive Data Processing Agreements available that specify:
- Permitted uses of your data
- Data security requirements
- Incident notification procedures
- Data subject rights fulfillment
- Audit and compliance obligations
- Contractual Protections: Where direct DPAs arenβt signed, we ensure contractual terms include equivalent data protection commitments
- Ongoing Monitoring: Regular review of vendor compliance and security practices
Cleftβs Data Processing Agreement
Transparent DPA Available
No Request Needed - Publicly AvailableCleftβs complete Data Processing Agreement is transparently available to all customers:π View Our DPA: Data Processing Agreement
π§ Questions: privacy@cleftnotes.com with βDPAβ in subject line
π’ Customer Support: Audit rights and compliance assistance availableWhatβs Included: Controller/Processor roles, security measures, data transfers, incident response, audit rights, and complete data handling transparency.
π§ Questions: privacy@cleftnotes.com with βDPAβ in subject line
π’ Customer Support: Audit rights and compliance assistance availableWhatβs Included: Controller/Processor roles, security measures, data transfers, incident response, audit rights, and complete data handling transparency.
Your Rights Regarding Vendor Data
You have the right to:- Know which vendors process your data
- Request deletion of your data from all vendors
- Receive copies of vendor DPAs upon request
- Be notified of any vendor data breaches
- Opt-out of specific vendor services where possible
Vendor Updates
We regularly review our vendor relationships and may:- Add new vendors to improve our services
- Remove vendors that no longer meet our standards
- Update vendor data processing terms
- Notify users of significant vendor changes
If you have concerns about any of our vendors or their data practices, please contact our Data Protection Officer at DPO@cleftnotes.com.
Contact Information
For questions about our vendors or data processing:- Data Protection Officer: DPO@cleftnotes.com
- General Privacy Questions: privacy@cleftnotes.com
- Vendor DPA Requests: privacy@cleftnotes.com
Quick Reference
Total Vendors: 37Handle Personal Data: 19 vendors
Business Operations Only: 18 vendors
Last Updated: September 10, 2025
All DPAs Available: Upon request to privacy@cleftnotes.com
This page was last updated on September 18, 2024. Weβll notify users of any material changes to our vendor relationships.