Legal

Sub-Processors

queri uses the following third-party services to provide our platform. Each sub-processor is bound by contractual obligations at least as protective as our DPA.

Last updated: March 2026

We notify all customers with an active DPA at least 30 days before adding a new sub-processor or making a material change to an existing one. Notifications are sent to the organization administrator. Objections may be raised by contacting security@queri.so within the notification period.

Infrastructure & Hosting

Vercel

Application hosting, CDN, serverless functions

US (Global CDN)
CertificationsSOC 2 Type II, ISO 27001, PCI DSS
Data ProcessedApplication code, user sessions, API requests
RetentionDuration of request processing

Supabase (AWS)

Database, authentication, file storage

US (us-east-1)
CertificationsSOC 2 Type II
Data ProcessedAll customer data: documents, embeddings, user accounts, chat history, org settings
RetentionDuration of subscription + 30-day deletion window

Modal

Document processing (chunking, embedding, context generation)

US
CertificationsSOC 2 Type II
Data ProcessedDocument content during batch processing. Deleted after processing completes.
RetentionDuration of processing job only

AI & Machine Learning

OpenAI

LLM inference (chat responses), text embeddings

US
CertificationsSOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701
Data ProcessedQuery text, document chunks (for inference). Zero retention on API. Data not used for training.
RetentionNo retention (zero-retention API terms)

Anthropic

LLM inference (chat responses)

US
CertificationsSOC 2 Type II, ISO 27001, ISO 42001
Data ProcessedQuery text, document chunks (for inference). Zero retention on API. Data not used for training.
RetentionNo retention (zero-retention API terms)

OpenRouter

LLM request routing

US
CertificationsSOC 2, ISO 27001, GDPR compliant
Data ProcessedQuery text (routed to selected LLM provider). Zero retention option enabled.
RetentionNo retention

Payments

Stripe

Payment processing, subscription billing

US (Global)
CertificationsPCI DSS Level 1, SOC 2 Type II
Data ProcessedPayment methods, billing addresses, subscription metadata. No access to knowledge base data.
RetentionPer Stripe's retention policy

Communications

Resend

Transactional email delivery

US
CertificationsSOC 2 Type II
Data ProcessedEmail addresses, email content (notifications, invites, digests). No access to knowledge base data.
Retention30 days

Crisp

Customer support chat widget

EU (France)
CertificationsGDPR compliant
Data ProcessedSupport conversation content, email addresses of users who initiate support chats.
RetentionPer Crisp retention policy

Monitoring & Analytics

PostHog

Product analytics

US / EU
CertificationsSOC 2 Type II
Data ProcessedAnonymous usage events, page views. No PII collected. Cookie-less mode available.
RetentionPer PostHog retention settings (configurable)

Sentry

Error monitoring

US
CertificationsSOC 2 Type II, ISO 27001
Data ProcessedError stack traces, request metadata. No customer content data. May incidentally contain user IDs in error context.
Retention90 days

BetterUptime

Uptime monitoring

EU
CertificationsGDPR compliant
Data ProcessedPublic endpoint availability checks only. No access to customer data.
Retention12 months

All sub-processors are subject to contractual obligations at least as protective as those in our DPA. queri conducts due diligence on sub-processor security practices before engagement.

Data Processing Agreement Security Practices security@queri.so