Pastor HQ engages a small number of trusted infrastructure providers ("subprocessors") to deliver its services. Each one is bound by a written agreement that prohibits using the data for any purpose other than the one we've contracted them for, and each meets the protection standards described in our Data Processing Addendum.
We update this page whenever a subprocessor is added or removed. Customers who have signed up for change notifications will receive at least 30 days' notice before a new subprocessor begins processing their data. To subscribe, email privacy@pastorhq.comwith "subprocessor notifications" in the subject.
Active subprocessors
| Subprocessor | Purpose | Data accessed | Region |
|---|---|---|---|
| Vercel | Application hosting, edge runtime, deployment | Application logs, IP addresses, request metadata | Global edge (compute pinned to closest available) |
| Supabase | Primary application database, authentication, file storage | All synced ChMS data, account information, audit logs | Sydney, Australia (ap-southeast-2) |
| AWS (KMS only) | Envelope encryption Key Encryption Keys (KEKs) | Encrypted Data Encryption Keys; never plaintext data | Sydney, Australia (ap-southeast-2) |
| Inngest | Background job orchestration (sync workers, webhooks) | Event payloads, function metadata | United States (multi-region) |
| Sentry | Application error and performance monitoring | Error stacks, redacted request metadata, IP address | United States or European Union (configurable per project) |
| Stripe | Subscription billing and payment processing | Customer billing details, payment instruments (handled by Stripe directly) | Global; Stripe Australia for AUD merchants |
| Resend | Transactional email (sign-in links, billing receipts, security alerts) | Recipient email address, message metadata | United States |
| Anthropic | AI features (sermon assistance, summaries) — opt-in per church | Only the prompts and content the customer explicitly submits | United States; Zero Data Retention addendum requested before any production use |
| OpenAI | AI features (alternative provider) — opt-in per church | Only the prompts and content the customer explicitly submits | United States; Zero Data Retention controls applied |
Data residency
Pastor HQ's primary database (Supabase) and KMS keys (AWS) are pinned to the Sydney (ap-southeast-2) region. Application compute (Vercel) is global edge, with code pinned to the closest available region for each request. Background workers (Inngest) and AI providers (Anthropic, OpenAI) are operated outside Australia under Standard Contractual Clauses or equivalent transfer mechanisms.
How we choose subprocessors
- Documented security and privacy posture (DPA available, transparent incident history, third-party attestations where relevant).
- Australian or EU/UK presence where the regulatory requirement makes sense.
- Minimum data exposure — we send only what each provider needs, redacted where possible.
Removed subprocessors
None to date. When a subprocessor is removed we'll list it here with the date and confirmation that data has been deleted from their systems.