Review status
This is the public operational list for legal and DPO review. Before signing a school or trust DPA, Schoolgle should confirm the live suppliers, regions, transfer safeguards and contractual status match the production deployment.
Sub-processor list
| Provider | Purpose | Location | Data involved | Safeguards to confirm |
|---|---|---|---|---|
| Supabase | Database, authentication and storage services | EU region configured for production services | School account data, platform records, evidence metadata and stored content where used | DPA, regional configuration and supplier security controls |
| Vercel | Application hosting and deployment | Regional hosting configured by deployment | Application requests, logs, deployment data and limited operational metadata | DPA, infrastructure security controls and regional deployment settings |
| OAuth, Google Drive integration and approved Gemini AI processing where used | EU/US depending on service and contractual terms | OAuth tokens, connected file metadata/content where authorised and AI prompts where configured | Provider DPA and transfer safeguards where relevant | |
| Microsoft | Microsoft OAuth, OneDrive/SharePoint integration and approved AI services where used | UK/EU/US depending on service and contractual terms | OAuth tokens, connected file metadata/content where authorised and AI prompts where configured | Provider DPA and transfer safeguards where relevant |
| OpenRouter | Routing approved AI model requests to configured model providers | US with transfer safeguards where applicable | Minimised AI prompts, evidence excerpts and generated responses where AI features are used | AI provider governance review, DPA/contract terms and approved model policy |
| OpenAI | Approved AI processing and embeddings where configured | US with transfer safeguards where applicable | Minimised AI prompts, embeddings inputs and generated responses where configured | Provider DPA/contract terms and transfer safeguards where relevant |
| Anthropic | Approved AI synthesis and analysis where configured | US with transfer safeguards where applicable | Minimised AI prompts and generated responses where configured | Provider DPA/contract terms and transfer safeguards where relevant |
| Mistral AI | OCR and approved AI processing where configured | EU | Document images or extracts where OCR or approved AI processing is requested | Provider DPA/contract terms and regional processing controls |
| Resend | Transactional email | US/EU depending on service routing | Email addresses, message metadata and transactional email content | Provider DPA/contract terms and transfer safeguards where relevant |
| Stripe | Payment processing | US/EU with Stripe transfer safeguards | Billing contact details, payment metadata and subscription information | Stripe data protection terms, PCI controls and transfer safeguards |
Changes to this list
Schoolgle aims to give schools reasonable notice of material sub-processor changes through contract, email or product notice where required. Schools should review this page and their signed DPA for the notice period that applies to them.
Where a signed DPA gives general authorisation for sub-processors, the DPA should also explain how schools can object to a proposed material change before the new sub-processor is used for their data.
AI providers
School/customer data may only be sent to approved AI provider families under the Schoolgle model policy: OpenAI, Anthropic, Google, Meta Llama, Mistral and Microsoft. Any new provider family requires governance review before use with customer data.