Mielto

Subprocessors

Third-party service providers that assist in delivering our services

Mielto Subprocessors

Last Updated: July 29, 2025

Entity: Mielto, Inc., a Delaware C-Corp (“Company,” “we,” “our,” “us”).

Address: Mielto, Inc., 724 Cole St, Unit 3, San Francisco, CA 94117, USA

Questions: legal@mielto.com

This page lists third-party subprocessors Mielto engages to help deliver the Services. We may update this list and will provide advance notice of material changes as described in our Data Processing Addendum (DPA).


What are subprocessors?

Subprocessors are third-party service providers that process personal data on our behalf to help us provide, secure, and support the Services.


Current & Authorized Subprocessors

Status legend: Active = used today for all/most tenants. Optional = used only if the tenant or plan enables the feature/integration. We will give 30 days’ notice before activating a new subprocessor for your workspace (except emergencies).

1) Infrastructure, Networking & Delivery

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Amazon Web Services (AWS)

Cloud hosting (compute, storage, backup)

Customer Content; Service/telemetry data

USA (primary)

N/A (US-based)

Core app, APIs, storage

Active

Vercel, Inc.

App hosting & deployment (edge/runtime)

IP/request metadata; limited Customer Content via API responses

USA/EU (per PoP)

SCCs as applicable

Web app & edge functions

Active

Cloudflare, Inc.

CDN, WAF, DDoS, DNS; optional Turnstile

IP/request metadata, headers

Global PoPs

SCCs as applicable

Web app & APIs

Optional (security/CDN)


2) Databases & Identity

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Supabase, Inc.

Managed Postgres, Auth, storage

Customer Content; account identifiers; auth data

USA/EU (region-configurable)

SCCs as applicable

Core data & auth

Active


3) Email & Communications

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Resend Labs, Inc.

Transactional email delivery

Recipient email, message metadata, templates

USA

N/A (US-based)

Transactional notices

Active

SendGrid (Twilio Inc.)

Inbound email processing & webhooks

Sender/recipient email, headers, body

USA

N/A (US-based)

Inbound parsing/webhooks

Active

Twilio Inc.

SMS/voice (if enabled)

Phone numbers; message metadata/content

USA/EU (per service)

SCCs as applicable

SMS MFA/alerts

Optional


4) Payments & Billing

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Stripe, Inc.

Payments, subscriptions, invoicing; Radar fraud tools

Billing details, identifiers, last-4, txn metadata

USA/EU

SCCs as applicable

Billing & refunds

Active


5) AI & Model Providers

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

OpenAI, L.P.

LLM inference (text, tools)

Prompts/outputs if AI features enabled

USA/EU (per vendor)

SCCs as applicable

AI features

Active (tenant-enabled)

Anthropic PBC

LLM inference (optional)

Prompts/outputs

USA/EU (per vendor)

SCCs as applicable

AI features

Optional

Microsoft Azure OpenAI

LLM via Azure regions (optional)

Prompts/outputs

Region as configured

SCCs as applicable

AI features

Optional

Google AI (Vertex/Gemini)

LLM/vision (optional)

Prompts/outputs

Region as configured

SCCs as applicable

AI features

Optional

Pinecone Systems, Inc.

Vector database (optional)

Vector embeddings; doc IDs

USA/EU

SCCs as applicable

AI retrieval

Optional


We do not use Customer Content to train foundation models unless a tenant explicitly opts in. AI providers are called only for tenants that enable AI features.

6) Analytics, Observability & Monitoring

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Vercel Analytics

Website/app analytics & performance

IP (truncated), request metadata

USA/EU

SCCs as applicable

Web app

Active

PostHog

Product analytics & (optional) session replay

Pseudonymous telemetry; events; optional replay

EU/US (region selectable)

SCCs as applicable

App analytics

Optional (EU residency available)

Sentry

Error tracking & performance

Pseudonymous telemetry; stack traces; limited context

USA/EU

SCCs as applicable

App & API

Optional

Datadog

Infra/APM/logs (optional)

Telemetry/logs/metrics

USA/EU

SCCs as applicable

Observability

Optional


Session replay is off by default; if enabled, we recommend masking inputs and excluding sensitive screens.

7) Customer Support & Engagement

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Calendly

Scheduling for demos/support

Names, emails, meeting metadata

USA

N/A (US-based)

Scheduling

Active

Intercom or Zendesk

In-app support/chat/tickets (if enabled)

Contact info; ticket content

USA/EU

SCCs as applicable

Support

Optional (one or the other)


8) Security, Identity & Feature Flags (Enterprise options)

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

Okta, Inc.

SSO/SAML/SCIM (if tenant uses)

User identifiers; SSO assertions

USA/EU

SCCs as applicable

Enterprise SSO

Optional

LaunchDarkly

Feature flagging

Anonymous IDs; flag eval metadata

USA

N/A (US-based)

Controlled rollouts

Optional

Cloudflare Turnstile / reCAPTCHA

Bot/abuse protection

IP, device signals

Global/USA

SCCs as applicable

Abuse prevention

Optional


9) DevOps & Internal Operations (limited PI)

Vendor

Purpose

Data Categories

Processing Location

Transfer Mechanism

Applies To

Status

GitHub, Inc.

Code hosting, CI/CD

Contributor identifiers; may incidentally include logs

USA/EU

SCCs as applicable

Build/deploy

Optional

Linear / Jira

Issue & project tracking

Reporter identifiers; ticket content

USA/EU

SCCs as applicable

Support/engineering

Optional

DocuSign

E-signature (enterprise contracts)

Signer name, email, IP

USA/EU

SCCs as applicable

Contracting

Optional



Security & Compliance Commitments

All subprocessors must:

Implement appropriate technical and organizational measures (TOMs).



Process personal data only on our documented instructions.



Maintain confidentiality and restrict access to need-to-know.



Assist us with data subject rights requests (where applicable).



Delete/return personal data at end of engagement.



Comply with applicable data protection laws and enter into SCCs/UK Addendum where required.




International Transfers

Some subprocessors operate outside your country/region. For such transfers, we rely on Standard Contractual Clauses (EU SCCs), the UK International Data Transfer Addendum, and other recognized mechanisms, as applicable.


Change Notices & Objections

For significant changes (e.g., adding or replacing a subprocessor) we will provide advance notice via:

Email to admin contacts, and/or



Notice in the admin console, and



Update of this page with a new “Last Updated” date.



You may object to a new subprocessor by emailing legal@mielto.com within 30 days of notification. We will work in good faith to address reasonable objections (e.g., disable an integration or propose an alternative). If unresolved, you may terminate the affected Services per your agreement.


Related Documents

Data Processing Addendum (DPA): /legal/dpa



Privacy Policy: /privacy



Terms of Service: /terms




For questions about our subprocessors, contact us at legal@mielto.com