Subprocessor List
Data processing partners and third-party service providers
Last updated March 25, 2026 · Next review September 25, 2026
1. Introduction
This Subprocessor List identifies all third-party service providers (“Subprocessors”) that process personal data on behalf of Foveate and our clients under the terms of our Data Processing Agreement (DPA). This list is maintained in accordance with GDPR Article 28(2), CCPA requirements, and other applicable data protection regulations.
Foveate provides at least 14 days' advance notice before adding or replacing any Subprocessor and maintains written Data Processing Agreements with all Subprocessors imposing obligations equivalent to those in our DPA with clients.
2. Current Subprocessors
| # | Subprocessor | Processing Activity | Location | Certifications |
|---|---|---|---|---|
| 1 | Google Cloud Platform (GCP) | Infrastructure hosting, compute, storage, networking | US / EU | SOC 2, ISO 27001, FedRAMP |
| 2 | Firebase Authentication | User authentication, identity management | US / EU | SOC 2, ISO 27001 |
| 3 | Cloud Firestore | Database hosting, data storage, retrieval | US / EU | SOC 2, ISO 27001 |
| 4 | Stripe | Payment processing, billing, transaction handling | US | SOC 2, PCI DSS Level 1 |
| 5 | Mux | Video encoding, processing, and delivery | US | SOC 2 |
| 6 | Fal.ai | AI inference, model execution for rendering/suggestions | US | SOC 2 |
3. Key Subprocessor Details
3.1 Google Cloud Platform (GCP)
- Purpose: Primary cloud infrastructure provider for all Foveate platform services
- Data Processed: All encrypted customer platform data, databases, file storage, authentication systems
- Location: US regions (us-central1, us-east1) and EU regions (europe-west1) by client selection
- Certifications: SOC 2 Type II, ISO 27001:2013, FedRAMP
3.2 Stripe (Payment Processing)
- Purpose: Payment processing, billing, subscription management, invoice handling
- Data Processed: Customer billing contact name, address, company name. Foveate never stores full credit card numbers.
- Location: United States
- Certifications: SOC 2 Type II, PCI DSS Level 1
3.3 Fal.ai (AI Features)
- Purpose: AI inference for rendering suggestions, content generation features, and model-based features
- Data Processed: Customer presentation content (3D models, images, text) submitted for AI feature processing only
- Location: United States
- Certifications: SOC 2 Type II
Customer content is processed only to deliver requested AI features. Foveate does not permit use of customer content for model training without explicit written consent.
4. Subprocessor Audit Rights
Clients have the right to audit Foveate's use of Subprocessors under the following terms:
- Annual Audit Request: One audit per calendar year at no charge
- Audit Scope: Review of Subprocessor contracts, certifications (SOC 2, ISO 27001), and compliance practices
- Notice Required: 30 days' advance notice
- Confidentiality: Audit findings are subject to confidentiality agreements with Foveate's Subprocessors
5. Subprocessor Changes and Notifications
- Adding or Replacing: Foveate provides at least 14 days' advance written notice before any new Subprocessor processes data. Clients may object on reasonable data protection grounds.
- Right to Object: If a client objects and no agreement is reached within 30 days, the client may terminate affected Services without penalty.
- EU Data Transfers: All customer-facing Subprocessors have either EU data residency or Standard Contractual Clauses (SCCs) in place for transfers to the US. Swiss transfers include FDPIC amendments.
For Subprocessor questions, contact legal@foveate.com.