Legal

Sub-processors

Third-party services that process customer data on behalf of Thirdwatch. Required disclosure under GDPR Art. 28. We maintain a signed DPA with every sub-processor below before any customer data flows to them.

Last updated: 2026-05-01

Active sub-processors

Apify

DPA →

Purpose: Hosts and executes the underlying scraper actors that fulfill MCP tool calls.
Region: United States (with EU/Asia compute regions per actor)
Data: API key (issued by us), tool input parameters, tool output (which may contain scraped third-party PII).

Railway

DPA →

Purpose: Hosts the Thirdwatch MCP server, landing site, and Postgres instance.
Region: United States (US-East)
Data: All HTTP request data, application logs, customer database (users, credit ledger, usage events).

Sentry

DPA →

Purpose: Error monitoring, performance tracing, alerting.
Region: European Union (project provisioned in eu.sentry.io)
Data: Stack traces, route templates, Clerk user IDs (non-reversible), tool names, latency. Never: emails, IP addresses, request bodies, environment variables (stripped via before_send hook + EventScrubber denylist), webhook payloads.

PostHog

DPA →

Purpose: Product analytics — signup/conversion funnels, feature usage.
Region: European Union (eu.i.posthog.com host)
Data: Anonymous device IDs (pre-signup), Clerk user IDs (post-signup), page views, marketing-page autocapture (clicks/forms). Never: emails, OAuth tokens, per-step authentication telemetry, IP addresses (stripped client-side via posthog.init({ ip: false })).

Clerk

DPA →

Purpose: Authentication, session management, OAuth identity.
Region: United States
Data: Email, sign-in metadata, session tokens.

Dodo Payments

DPA →

Purpose: Payment processing, subscription billing, invoice generation.
Region: United States (Stripe-backed)
Data: Customer email, billing address, payment method (last 4 only).

Conditionally-activated (Phase 2)

Sub-processors below are not active today. They will be added to the "Active" list with at least 30 days notice before any customer data is sent.

Langfuse

DPA →

Purpose: LLM observability + evaluation — traces of the professional_search router, response-quality scoring. Activated only when professional_search exceeds 1K calls/day.
Region: European Union (self-hosted on Railway if required) or United States (cloud).
Data: User-typed natural-language query (PII-redacted before send), router decision, redacted tool result (lat/lng truncated, phone/email stripped).

Notification of changes

We notify customers in writing at least 30 days before adding or changing a sub-processor that processes their data. To receive notifications, ensure your account email is current. Material objections to a new sub-processor entitle you to terminate the affected service before the new sub-processor goes live.

Data subject requests

Requests under GDPR / DPDP / CCPA (access, deletion, portability, rectification) should be sent to support@thirdwatch.dev. We respond within 30 days.