LeanOS
Home
Subprocessors

Who else touches your data.

Last updated: 3 May 2026

A subprocessor is a third party we use to provide the LeanOS service. This page lists every subprocessor that processes Customer Data, and what each one does. We update this list before adding any new material subprocessor and notify active Customer administrators by email at least 30 days in advance.

Active subprocessors

Supabase

WebsiteDPA
Purpose: Primary database (Postgres), file storage (defect photos, documents), authentication. Row-level security enforces org-level isolation on every query.
Data processed: Account data, Customer Data, photos, audit logs.
Region: Configurable per Customer; default ap-south-1 (Mumbai). EU and US regions available on enterprise plans.

Vercel

WebsiteDPA
Purpose: Application hosting, edge serving, build & deploy infrastructure. Vercel does not have access to the Postgres database or Customer Data at rest; it only serves request/response traffic.
Data processed: Application traffic, server logs, no Customer Data at rest.
Region: Global edge; primary region: US East.

Anthropic

WebsiteDPA
Purpose: Claude AI models (vision + language) for defect categorization, A3 5-Whys / Fishbone suggestions, fix-plan generation, Plant Coach insights, scoring breakdowns. Per Anthropic's commercial terms, Customer Data sent to the API is not used to train models.
Data processed: Defect photos, short text payloads (defect descriptions, A3 case context). Sent at request time only; not stored at Anthropic beyond their stated retention.
Region: United States (Anthropic data centers).

Resend

WebsiteDPA
Purpose: Transactional email delivery — sign-in magic links, audit summaries, kaizen verification notifications, sensei application receipts, account recovery emails.
Data processed: Recipient email address, sender email address, subject line, message body, send timestamp, delivery status.
Region: United States.

Google (Zoho Mail forwarding)

WebsiteDPA
Purpose: Inbound email handling for founder@getleanos.com support / grievance address. Email content is not synced into LeanOS systems.
Data processed: Inbound email content sent to founder@getleanos.com.
Region: Zoho Mail — India.

Proposed subprocessors (not yet active)

These vendors are scheduled to be added when the related feature ships. Customers will receive 30 days' advance notice before activation.

Razorpay

Website
Purpose: Payment processing for paid subscriptions and pilots that convert to paid. Not yet wired; will be added with 30 days' advance notice to active Customers.
Data processed: Customer billing email, payment method tokens (Razorpay vault — we never see card numbers), invoice metadata.
Region: India.

What we do not use

  • Advertising networks — no Google Ads, no Meta Pixel, no LinkedIn Insight Tag.
  • Behavioural analytics — no Google Analytics, Mixpanel, Amplitude, Heap, FullStory, Hotjar, etc.
  • Customer-data marketplaces or enrichment — Customer Data is never enriched against Clearbit, ZoomInfo, or similar.
  • ML training — Customer Data is never used to train any LeanOS-owned or partner- owned model.

Subprocessor change notifications

Customers may subscribe to subprocessor change notifications by emailing founder@getleanos.com with the subject line “Subprocessor notifications”. By default, we email the workspace administrator on file.

Customers who object to a new subprocessor may terminate the affected service under Section 14 of the Terms of Service with a pro-rata refund.