Sub-processors
Third parties that process customer data on Marshal's behalf. Each entry includes purpose, data accessed, location, and a link to the provider's data processing agreement.
Effective 2026-05-12
Marshal contracts with each sub-processor under terms that prohibit use of customer data for purposes other than providing the service. Specifically, no sub-processor is authorized to use customer content for training AI models or to share customer data with their own sub-processors without our explicit written consent.
If you require a Data Processing Addendum (DPA) that enumerates these sub-processors with notification rights on additions, email legal@marshal.to. The DPA template covers the GDPR Article 28(2) requirement that customers be given a chance to object to new sub-processors before they're added.
| Provider | Purpose | Data accessed | Location | DPA |
|---|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database, authentication, and object storage. Stores all customer case data, user accounts, and audit log. | All customer data (cases, intake, memos, documents, users, audit log) | United States (AWS us-east-1) | View |
| Anthropic, PBC | AI model inference (Claude). Processes case content to generate draft memos, finding analyses, report sections, and chat orchestration. Anthropic's commercial terms prohibit use of customer data for model training. | Case content sent for AI processing: intake text, memo drafts, finding rationale, report content. Not all customer data — only content actively submitted to AI tools by the investigator. | United States | View |
| Vercel Inc. | Application hosting, serverless compute, CDN, and scheduled job execution. | Application traffic in transit; no persistent customer data storage (database is Supabase). Request metadata (IP, user-agent) for routing and abuse prevention. | United States (primarily us-east) and global CDN | View |
| Resend, Inc. | Transactional email delivery (account invitations, notifications, password resets). | Recipient email addresses and the body of system-generated emails. No case content — emails contain links to the application rather than investigation data. | United States | View |
| Stripe, Inc. | Subscription billing and payment processing. | Customer billing email, payment method (stored by Stripe; Marshal never sees card data), subscription metadata. No case content. | United States | View |
| Amazon Web Services, Inc. | S3 Object Lock storage for tamper-evident audit attestations. Holds signed chain-tip snapshots in compliance-mode buckets with seven-year retention. | Per-tenant audit chain hashes and HMAC signatures only. No case content or personal data. | United States (us-east-1) | View |
| GitHub, Inc. | Source code hosting and continuous integration. Does not process customer data; listed for transparency. | None — source code only. | United States | — |
Change notice: when we add a new sub-processor with access to customer personal data, existing customers under a DPA receive at least 30 days notice via email before the change takes effect, with an opportunity to object.
Last reviewed: 5/12/2026.