Sub-processors
In application of Article 28 of the GDPR, here is the complete list of sub-processors Scope relies on to operate the service. Each one is bound to Scope by an enforceable Data Processing Agreement.
Last updated: 11 June 2026 · v2026.06.11-v5
| Sub-processor | Service | Data region | Certifications | DPA |
|---|---|---|---|---|
Railway Corp. Railway | Hosting of the Next.js application on a persistent container and execution of application routes. | EU West region (European Union) | SOC 2 Type II, EU Standard Contractual Clauses (SCCs) | Link |
Supabase, Inc. Supabase | Postgres database, authentication, object storage and Realtime for briefs, scoping documents, audit log and exports. | Dublin, Ireland (eu-west-1 region) | SOC 2 Type II, HIPAA-ready | Link |
OpenRouter, Inc. OpenRouter | LLM router with contractual data_collection=deny clause: your prompts and the generated responses are never used to train the models. | Stateless proxy (United States) routing requests to OpenAI and Anthropic (United States), under EU Standard Contractual Clauses | EU Standard Contractual Clauses (SCCs) | Link |
Gladia SAS Gladia | Enterprise-grade audio transcription specialized in French — used for scoping notes from meeting recordings. | Paris, France | GDPR, DPA available | Link |
Mistral AI SAS Mistral AI | Text extraction by OCR (mistral-ocr-latest) on PDF and image files uploaded as brief pieces. Source content transits the Mistral API during processing; the structured markdown result is persisted to Supabase EU. Enabled only when the MISTRAL_OCR_ENABLED flag is set server-side; otherwise the PDF/image upload surface displays a "coming soon" notice and no call is emitted. Secondary usage (PH10, 2026-06-10): LLM fallback provider in the resilience chain. If OpenRouter becomes unavailable, extraction, clarification and scoping calls switch to the Mistral API for the duration of the outage. Paris (EU) hosting — sovereign choice, both to minimise data exposure during an incident and because OpenRouter (which already multiplexes OpenAI + Anthropic) covers provider diversity in nominal mode. Enabled only when MISTRAL_API_KEY is configured; otherwise the link is skipped. | Paris, France | GDPR, EU sovereign hosting, No-training by default | Link |
Scope (auto-hébergé — instance DocuSeal) DocuSeal (self-hosted) | eIDAS-compliant e-signature for scoping notes, proposals and DPAs — DocuSeal instance self-hosted by the publisher on Railway (EU West region), no signed data is shared with a third party. | Railway, EU West region (European Union) | eIDAS (advanced electronic signature), Self-hosted in the EU | Link |
Plus Five Five, Inc. (Resend) Resend | Delivery of transactional emails (notifications, confirmations, magic links, signatures, exports ready). | eu-west-1 region (Ireland) | SOC 2 Type II, HIPAA-ready | Link |
Stripe Payments Europe Ltd Stripe | Payment processing, subscription management and customer invoice issuance. No card data ever transits Scope's servers (full tokenization). | Dublin, Ireland | PCI DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001 | Link |
Plausible Insights OÜ Plausible | Self-hosted web analytics with no cookies and no personal data. Activated only after explicit consent. | Germany (Hetzner) | GDPR by design, Cookieless | Link |
Burke Software & Consulting LLC (GlitchTip) GlitchTip | Capture of runtime errors on the server and in the browser, to identify and fix regressions. Payloads are scrubbed (PII, secrets) before transmission. | DigitalOcean Frankfurt, Germany (EU data residency) | EU data residency, Open source (MIT), DPA on request (contractual no-transfer commitment) | Link |
Cloudflare, Inc. Cloudflare R2 (EU) | S3-compatible object storage (EU bucket) holding the weekly Postgres database backups (compressed and encrypted SQL dump). No application content is read live from this bucket — access is restricted to disaster-recovery dumps. | European Union (R2 jurisdiction = EU, bucket pinned to EU) | SOC 2 Type II, ISO 27001, EU Standard Contractual Clauses (SCCs), 90-day retention (bucket lifecycle policy) | Link |
Cloudflare, Inc. Cloudflare | DNS resolution for the getscope.dev domain and email routing to professional inboxes. No application data transits Cloudflare. | Global anycast network | SOC 2 Type II, ISO 27001, PCI DSS | Link |
BetterStack UAB Better Stack | Uptime monitoring of getscope.dev public routes and heartbeats from scheduled jobs (crons). No personal data transits Better Stack: only public HTTP probes and job-completion pings. | Vilnius, Lithuania (EU) | GDPR, EU hosting, DPA available | Link |
Scaleway SAS (Iliad Group) Scaleway | S3-compatible object storage with 7-year Object Lock COMPLIANCE for the immutable archive of the `audit_logs` journal (legal retention L123-22, 10 years). The monthly cron `archive_audit_logs_older_than_13_months()` moves rows past the HOT window to Scaleway Object Storage Paris (`fr-par`, bucket `scope-audit-cold-prod`). In COMPLIANCE mode, deletion or overwrite of the archive is IMPOSSIBLE even with root credentials — no provider-side bypass. | Paris (DC5 datacenter, `fr-par` region) | GDPR, ISO 27001, HDS (French health-data certified host), French sovereignty (Iliad SAS subsidiary, outside Cloud Act), Object Lock COMPLIANCE (7-year non-bypassable retention) | Link |
Updates to this list
In line with Article 28.2 of the GDPR, you can receive notifications when this list changes by writing to dpo@getscope.dev. Any change is notified to subscribed customers by email at least 30 days before it takes effect, with a right to object on the terms set out in the DPA.
For complementary detail (Cloud Act mitigations, compliance status, machine-readable JSON endpoint), consult our Trust Center.