Trust
Subprocessors
These are the third parties we use to deliver Wonderful Agent. We notify customers at least 30 days before adding a new one.
These are the third parties we use to deliver Wonderful Agent. We notify customers at least 30 days before adding a new one.
Where we host the data, who processes it, and what they're doing for you. Reviewed quarterly.
| Name | Service provided | Data location | Purpose | Last updated |
|---|---|---|---|---|
| Google Cloud Platform | Compute & managed databases | US (us-central1), EU (europe-west4) | Runs the production application, the agent runtime, and the workspace database for every customer. | Mar 2026 |
| Amazon Web Services | Object storage (S3) | US (us-east-1), EU (eu-west-1) | Stores attachments, exports, and the encrypted artifacts the agents produce while working. | Feb 2026 |
| Anthropic | LLM inference | US | Powers the reasoning and drafting steps the agents take. No customer prompts or completions used to train shared models. | Apr 2026 |
| OpenAI | LLM inference (fallback & embeddings) | US | Secondary model provider for redundancy and certain specialized tasks. Zero-retention API tier. | Apr 2026 |
| Stripe | Billing & payments | US, EU | Processes subscription charges, tax calculation, and invoices. | Jan 2026 |
| HubSpot | Marketing & sales CRM | US, EU | Stores prospect and customer contact information for sales and marketing operations. | Jan 2026 |
| Resend | Transactional email | US, EU | Delivers product notifications, password resets, and customer-addressed messages sent by agents. | Mar 2026 |
| Datadog | Observability & APM | US, EU | Aggregates application metrics, logs, and traces. Customer Data is scrubbed before ingestion. | Feb 2026 |
| PagerDuty | Incident response & on-call | US | Routes production alerts to the on-call engineer and coordinates incident response. | Dec 2025 |
| Vanta | Compliance monitoring | US | Continuous monitoring of our SOC 2 and ISO 27001 controls. Reads from our internal systems; no Customer Data. | Feb 2026 |
| Cloudflare | CDN, WAF & DDoS protection | Global edge | Front door to the application — terminates TLS, blocks abusive traffic, and caches public assets. | Mar 2026 |
| 1Password | Secrets & credential storage | US, EU | Vaults the production secrets our personnel use to operate the Services. Stores no Customer Data directly. | Jan 2026 |
We publish the list above and keep it current. Whenever we add a new subprocessor that will process Personal Data on your behalf — or whenever an existing subprocessor materially changes the scope of its processing — we notify customers in two ways: a banner inside the product workspace and an email to anyone subscribed to the change-log on this page. Notice goes out at least 30 days before the change takes effect. If you have a reasonable, data-protection-grounded objection during that window, contact us and we'll work in good faith to find a workable alternative; if we can't, you can terminate the affected portion of your subscription for convenience.
Some of our subprocessors engage further sub-processors of their own to run their service. We don't republish those full chains here, but we hold each direct subprocessor to data-protection obligations no less protective than our DPA with you, and we audit those obligations through their own SOC 2 or ISO reports. If you need a deeper view for a specific assessment, ask your CSM — we'll share what we can under NDA.
Get an email whenever this page changes — no marketing, just subprocessor updates.
One address per organization works best. We send a short note with the diff each time something changes here.
Connect your tools, brief your first agent, and ship work today. Free for 14 days, no card needed.