Anyrow
Log InGet Started

Subprocessors

Last updated: 2026-04-13

Subprocessors

Anyrow uses the third-party processors listed below to provide the service. Each entry describes the purpose of processing, the processor's location, and the legal basis for any transfer outside the European Economic Area (EEA).

This page is referenced from our Data Processing Agreement (DPA). When we add or change a subprocessor that materially affects the processing of your data, we will announce the change here and give customers at least 30 days' prior notice by email before the change takes effect.

If you need notifications, email privacy@anyrow.ai with the subject "Subprocessor updates" and the account email you want on the list.

Active subprocessors

Cloudflare, Inc.

  • Purpose: hosting infrastructure (compute, object + key-value + relational storage, queues, CDN), transactional email delivery, and AI inference via Cloudflare Workers AI
  • Legal entity for EU customers: Cloudflare, Inc. (US)
  • Processing location: EU + global edge
  • Transfer mechanism: Standard Contractual Clauses (SCCs) under Art. 46 GDPR
  • DPA: https://www.cloudflare.com/cloudflare-customer-dpa/

Stripe Payments Europe, Ltd.

  • Purpose: subscription billing, card processing, invoicing
  • Legal entity for EU customers: Stripe Payments Europe, Ltd. (Ireland)
  • Processing location: Ireland (EU)
  • Transfer mechanism: Intra-EU; SCCs apply for any non-EU onward transfer
  • DPA: https://stripe.com/legal/dpa

Google LLC

  • Purpose: AI document extraction via Google AI API (Gemini models)
  • Legal entity: Google LLC (US) — we operate on the paid tier with billing enabled, under which the Google AI API terms prohibit use of Customer inputs to improve Google products
  • Processing location: US
  • Transfer mechanism: Standard Contractual Clauses (SCCs) under Art. 46 GDPR
  • DPA: https://cloud.google.com/terms/data-processing-addendum

Microsoft Ireland Operations Ltd.

  • Purpose: AI document extraction via Azure AI Document Intelligence
  • Status: planned — provisioned but not yet in the production data flow. This entry will take effect when the Azure extraction path is deployed; it is listed here in advance so Customers are not surprised by a silent activation.
  • Legal entity for EU customers: Microsoft Ireland Operations Ltd.
  • Processing location: EU (resource is provisioned in an EU region under the Azure EU Data Boundary commitment)
  • Transfer mechanism: Intra-EU
  • DPA: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

How we assess a new subprocessor

Before engaging a subprocessor we verify they provide:

  • Appropriate technical and organizational measures under Art. 32 GDPR
  • A signed DPA binding them to equivalent data-protection obligations
  • An adequate legal transfer mechanism if processing occurs outside the EEA
  • Public security and compliance posture (SOC 2 Type II or ISO 27001 where reasonably expectable at the provider's scale)

Objection right

If you object to a new subprocessor on reasonable data-protection grounds, you may terminate your subscription for the affected workspace(s) within 14 days of our notice and receive a pro-rata refund of fees paid for the unused period. This does not extend to subprocessor changes that are required to maintain legally mandated operations (e.g. regulatory compliance).

Change log

  • 2026-04-13 — initial list published.