Skip to main content

Subprocessor List

Effective date: April 28, 2026

Permissio, Inc.


1. Purpose

This Subprocessor List identifies third-party providers ("Subprocessors") that may process Customer Personal Data to support the Permissio Services. This list is incorporated as Annex 3 to the Data Processing Addendum.


2. Current Subprocessors

ProviderServiceProcessing activityLocation
ClerkAuthentication and identityUser authentication, session management, identity records, organization membership, multi-factor authenticationUnited States
StripeBilling and payment processingCustomer billing, subscription status, invoice records, payment processor identifiersUnited States
ResendTransactional email deliverySigning invitations, OTP messages, completion notices, account alerts, delivery event recordsUnited States
RailwayHosting and managed infrastructureApplication hosting, managed PostgreSQL database, deployment infrastructureUnited States
AWS S3 (via Railway)Object storageSource PDFs, signed PDFs, audit certificates, private and public object storageUnited States (us-east-1)

3. Customer Notice and Objection

Permissio will provide at least 30 days' advance notice of material new Subprocessors through the website, application, email, or other reasonable means. Customers may object to a new Subprocessor on reasonable data protection grounds within that notice period. If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty.


4. Subprocessor Requirements

Permissio will require Subprocessors that process Customer Personal Data to maintain written data protection obligations that are no less protective in substance than those in the Data Processing Addendum, including confidentiality, security, and lawful processing obligations.


5. Updates

This list is updated as Permissio adds, removes, or changes Subprocessors. The current effective date is shown at the top of this page.


Contact

Data protection questions: privacy@permissio.us