Stetful
LegalTrustLegal contact

Security

Subprocessors and Security Disclosure

A factual initial-launch disclosure of Stetful's providers, security posture, and what we do not yet claim.

Documents

Legal

  • Terms
  • Privacy
  • Acceptable Use
  • AI Notice
  • Security
  • Changelog

Trust

  • Trust Principles

Document version

Effective
July 2, 2026
Updated
July 2, 2026
Service scope
U.S. business use

Contact routing

Use the right inbox.

  • Legal notices and terms questionslegal@stetful.com
  • Privacy, data protection, and data-rights requestsprivacy@stetful.com
  • Security reports and vulnerability disclosuressecurity@stetful.com

Effective date: July 2, 2026
Last updated: July 4, 2026

Short version

  • Stetful uses service providers to host, authenticate, store, process, secure, and operate the Service.
  • Stetful does not intentionally log customer legal content or raw extracted legal text.
  • Stetful does not use customer legal content to train foundation models or third-party models.
  • Report vulnerabilities to security@stetful.com.

1. Scope

This disclosure summarizes Stetful’s subprocessors and security posture for the initial U.S. launch. It is factual and modest. It is not a SOC 2 report, SLA, DPA, BAA, penetration-test report, or security certification.

2. Subprocessor list

ProviderPurposeData categoriesLocation / region notesAI training / retention notes
VercelHosting, deployment, runtime infrastructure for web/marketing appsRequest/response metadata, runtime data necessary to serve the app, deployment/build dataU.S./global infrastructure; exact region variesNot an AI model provider. Customer legal content is not intentionally logged.
ClerkAuthentication, sessions, user and organization managementUser account data, email, auth/session data, organization/role dataU.S./global infrastructureNot an AI model provider.
Neon / PostgresOperational database and durable worker queueOperational records, Legal-State Data, metadata, review receipts, job metadataU.S. production configurationNot an AI model provider.
Cloudflare R2 or other S3-compatible object storageEvidence object storageUploaded evidence files, pre-account attachments, object metadataU.S./global infrastructureNot an AI model provider. Object keys are tenant-scoped and opaque.
OpenAIAI-assisted classification, extraction support, answer drafting, structured outputs, or related AI processingBounded prompts/inputs, extracted text snippets where needed, outputs/metadataProcessed according to configured API settingsCustomer Legal Content is processed to provide the Service, not to train models. Provider human review is not permitted except where legally/security-required or expressly enabled.
GitHubSource control, CI, deployment/ops automationCode, configuration, CI logs, synthetic test data, repository metadataU.S./global infrastructureCustomer legal content and secrets must not be placed in CI logs.
Google Workspace / GmailInbound and outbound support, legal, privacy, and security communicationsEmail address, message contents, attachments intentionally sent to StetfulU.S./global infrastructureDo not include unnecessary Customer Legal Content in emails.

3. Security posture

Stetful’s initial security posture is built around minimum viable trust:

  • tenant boundaries for organization-scoped objects;
  • role/capability checks for write and review surfaces;
  • authentication through the configured auth provider;
  • tenant-scoped object storage keys for uploaded evidence;
  • no original uploaded filenames in object-storage keys where avoidable;
  • worker and route behavior designed not to print job payloads, filenames, extracted legal text, storage keys, or customer legal-state content into logs;
  • no raw extracted legal text in operational records, worker results, audit event metadata, or snapshot exports;
  • proposed state changes require company review before accepted state;
  • secrets kept in secret stores, not committed to the repository;
  • tracked-file secret scanning and CI gates; and
  • public vulnerability contact at security@stetful.com.

4. What Stetful does not claim at initial launch

Unless separately published and operationally true, Stetful does not claim:

  • SOC 2, ISO, HIPAA, or other compliance certification;
  • HIPAA business associate status;
  • a formal SLA or uptime commitment;
  • a bug bounty program;
  • a guaranteed vulnerability response timeline;
  • customer-managed encryption keys;
  • region pinning or data residency commitments;
  • enterprise DPA/security addendum terms; or
  • external release/export approval semantics beyond the product’s accepted-state review model.

5. Vulnerability reporting

If you believe you found a vulnerability, contact security@stetful.com.

Please include enough information to help Stetful understand and reproduce the issue, but do not include unnecessary Customer Legal Content, secrets, personal data, or third-party confidential information.

Stetful does not authorize destructive testing, denial-of-service testing, social engineering, spam, physical attacks, or attempts to access another customer’s data.

6. Updates

Stetful will update this disclosure before adding a new subprocessor that materially processes customer legal content or before materially changing the AI-provider, storage, auth, hosting, or database posture.

© 2026 Stetful, Inc.

Legal
  • Terms
  • Privacy
  • Acceptable Use
  • AI Notice
  • Security
  • Changelog
Trust
  • Trust Principles

Contact

  • legal@stetful.com
  • privacy@stetful.com
  • security@stetful.com