Legal
Sub-processors
Last updated: May 18, 2026
JourneyFuse uses the third-party service providers listed below to operate the Service. Each one is contractually bound to use customer data only to provide its service to JourneyFuse and to maintain commercially reasonable security practices.
We notify customers of material changes to this list via email (for account contacts) and by updating this page. Customers with a signed Data Processing Agreement can object to the addition of a new sub-processor within 30 days of notification.
| Sub-processor | Purpose | Data | Region |
|---|---|---|---|
| Supabase | Primary database (Postgres), authentication, file storage | Workspace data, client records, trip data, account credentials, uploaded files | United States (AWS) |
| Vercel | Web application hosting and edge delivery | Application traffic, request logs | United States and global edge |
| Evervault | PCI DSS Level 1 card tokenization for client payment authorizations | Credit card numbers, CVV (tokenized in-browser, never on JourneyFuse servers) | United States and EU |
| Stripe | JourneyFuse subscription billing and planning fee collection | Billing contact, payment method tokens | United States |
| Resend | Transactional and outbound email delivery | Email addresses, message contents sent through the Service | United States |
| Sentry | Application error monitoring (PII scrubbed before transmission) | Error stack traces, anonymized request metadata | United States |
| Upstash | Rate limiting and ephemeral cache | Request fingerprints, short-lived session tokens | United States and EU |
| Mapbox | Map tiles and geocoding for itinerary maps | Location queries, IP address | United States |
| OpenAI | AI features under no-training terms: proposal and itinerary generation, email drafting, passport photo OCR, commission-statement extraction | Only the specific text or image submitted for that request; not retained for model training | United States |
| Google (Places API) | Address autocomplete, place lookups, and place photos for itinerary planning | Search queries and place identifiers, no personally identifiable customer data sent | United States |
Infrastructure certifications
JourneyFuse delegates payment, hosting, and database security to providers that hold the following independent certifications:
- Evervault: PCI DSS v4.0.1 Level 1 (audited by Prescient Security LLC, QSA #202-230)
- Stripe: PCI DSS Level 1
- Supabase: SOC 2 Type 2 (AWS-hosted infrastructure with ISO 27001, SOC 1/2/3)
- Vercel: SOC 2 Type 2, ISO 27001
Each provider publishes its own current attestations on its trust or security page; we can point you to them on request at security@journeyfuse.com.
See also our Privacy Policy and Data Processing Agreement.