Effective date: July 2, 2026
Last updated: July 4, 2026
Short version
- Stetful uses service providers to host, authenticate, store, process, secure, and operate the Service.
- Stetful does not intentionally log customer legal content or raw extracted legal text.
- Stetful does not use customer legal content to train foundation models or third-party models.
- Report vulnerabilities to security@stetful.com.
1. Scope
This disclosure summarizes Stetful’s subprocessors and security posture for the initial U.S. launch. It is factual and modest. It is not a SOC 2 report, SLA, DPA, BAA, penetration-test report, or security certification.
2. Subprocessor list
| Provider | Purpose | Data categories | Location / region notes | AI training / retention notes |
|---|---|---|---|---|
| Vercel | Hosting, deployment, runtime infrastructure for web/marketing apps | Request/response metadata, runtime data necessary to serve the app, deployment/build data | U.S./global infrastructure; exact region varies | Not an AI model provider. Customer legal content is not intentionally logged. |
| Clerk | Authentication, sessions, user and organization management | User account data, email, auth/session data, organization/role data | U.S./global infrastructure | Not an AI model provider. |
| Neon / Postgres | Operational database and durable worker queue | Operational records, Legal-State Data, metadata, review receipts, job metadata | U.S. production configuration | Not an AI model provider. |
| Cloudflare R2 or other S3-compatible object storage | Evidence object storage | Uploaded evidence files, pre-account attachments, object metadata | U.S./global infrastructure | Not an AI model provider. Object keys are tenant-scoped and opaque. |
| OpenAI | AI-assisted classification, extraction support, answer drafting, structured outputs, or related AI processing | Bounded prompts/inputs, extracted text snippets where needed, outputs/metadata | Processed according to configured API settings | Customer Legal Content is processed to provide the Service, not to train models. Provider human review is not permitted except where legally/security-required or expressly enabled. |
| GitHub | Source control, CI, deployment/ops automation | Code, configuration, CI logs, synthetic test data, repository metadata | U.S./global infrastructure | Customer legal content and secrets must not be placed in CI logs. |
| Google Workspace / Gmail | Inbound and outbound support, legal, privacy, and security communications | Email address, message contents, attachments intentionally sent to Stetful | U.S./global infrastructure | Do not include unnecessary Customer Legal Content in emails. |
3. Security posture
Stetful’s initial security posture is built around minimum viable trust:
- tenant boundaries for organization-scoped objects;
- role/capability checks for write and review surfaces;
- authentication through the configured auth provider;
- tenant-scoped object storage keys for uploaded evidence;
- no original uploaded filenames in object-storage keys where avoidable;
- worker and route behavior designed not to print job payloads, filenames, extracted legal text, storage keys, or customer legal-state content into logs;
- no raw extracted legal text in operational records, worker results, audit event metadata, or snapshot exports;
- proposed state changes require company review before accepted state;
- secrets kept in secret stores, not committed to the repository;
- tracked-file secret scanning and CI gates; and
- public vulnerability contact at security@stetful.com.
4. What Stetful does not claim at initial launch
Unless separately published and operationally true, Stetful does not claim:
- SOC 2, ISO, HIPAA, or other compliance certification;
- HIPAA business associate status;
- a formal SLA or uptime commitment;
- a bug bounty program;
- a guaranteed vulnerability response timeline;
- customer-managed encryption keys;
- region pinning or data residency commitments;
- enterprise DPA/security addendum terms; or
- external release/export approval semantics beyond the product’s accepted-state review model.
5. Vulnerability reporting
If you believe you found a vulnerability, contact security@stetful.com.
Please include enough information to help Stetful understand and reproduce the issue, but do not include unnecessary Customer Legal Content, secrets, personal data, or third-party confidential information.
Stetful does not authorize destructive testing, denial-of-service testing, social engineering, spam, physical attacks, or attempts to access another customer’s data.
6. Updates
Stetful will update this disclosure before adding a new subprocessor that materially processes customer legal content or before materially changing the AI-provider, storage, auth, hosting, or database posture.