Subprocessors
Effective date: May 11, 2026
This page lists the third-party subprocessors Watari engages to operate the Service. Each subprocessor processes Customer Content only as necessary to deliver the function described and only under a data-processing agreement that imposes obligations equivalent to those Watari undertakes in its Data Processing Agreement.
We provide at least 30 days' advance notice before adding or replacing a subprocessor. Subscribe to change notifications by emailing subprocessors@watari.ai with the subject “subscribe”.
AI
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Anthropic, PBC | Large language model (Claude API) — bug extraction, code mapping reranking, pull-request drafting, root-cause analysis generation | Support ticket text, conversation threads, code excerpts, extracted bug fields | USA | SCC Module 3 + Anthropic DPA + no-training contract | 2026-03-01 |
| OpenAI, L.L.C. | Embedding API (text-embedding-3-small) — vector embeddings of source code for semantic search | Source code chunks (text) | USA | SCC Module 3 + OpenAI API DPA + 30-day abuse-monitoring retention | 2026-03-01 |
Infrastructure
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Supabase, Inc. | Primary database (Postgres), auth, and object storage | All Customer Content | United States (AWS us-east-1) | SCC Module 2 + UK IDTA + DPDP Act §16 cross-border framework, all covered by Supabase DPA | 2026-01-01 |
| Vercel Inc. | Application hosting, edge functions, deployments | Application traffic, request logs, deployment metadata | USA / Global edge | SCC Module 2 + Vercel DPA | 2026-01-01 |
| Inngest, Inc. | Background job orchestration (the AI pipeline) | Job payloads (may include support ticket fragments during pipeline runs) | USA | SCC Module 2 + Inngest DPA | 2026-01-01 |
Authentication
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Google LLC ("Sign in with Google") | OAuth-based authentication when a user chooses "Continue with Google" on the Watari login or signup page. Watari receives the user's email address and (where available) full name from Google to provision the Watari account; no Google product data is fetched. | Email address, full name (read-only at sign-in) | USA | SCC Module 2 + Google Cloud DPA | 2026-05-24 |
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection on the signup, login, password-reset, and contact-sales forms. Replaces traditional CAPTCHA. Watari configures the widget in Invisible mode — visitors see no challenge UI; Cloudflare performs the bot check silently. Watari does not receive raw browser fingerprints — only a short-lived verification token consumed once at submit. Cloudflare's own data handling for Turnstile is described in the Turnstile Privacy Addendum: https://www.cloudflare.com/application-services/products/turnstile-privacy-addendum/ | Client IP address, browser environment signals (analysed by Cloudflare, not transmitted to Watari), single-use verification token | USA / Global edge | SCC Module 2 + Cloudflare DPA + Turnstile Privacy Addendum | 2026-05-24 |
Communications
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Resend, Inc. | Transactional email delivery | Email address, subject line, message body | USA | SCC Module 2 + Resend DPA | 2026-02-01 |
Billing
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Razorpay Software Pvt Ltd | Payment processing, subscription billing, invoicing | Billing contact, billing address, GSTIN, payment method (held by Razorpay; never stored on Watari servers) | India | In-country; PCI-DSS scope offloaded to Razorpay | 2026-01-01 |
Analytics
| Name | Purpose | Data | Location | Transfer | Added |
|---|---|---|---|---|---|
| Functional Software, Inc. (Sentry) | Error monitoring and performance telemetry | Error stack traces, request IDs, error contexts (PII scrubbed before transmission where present) | USA | SCC Module 2 + Sentry DPA | 2026-02-01 |
| PostHog Inc. (planned) | Product analytics (marketing site and in-app events). **Configured but not yet exercised** — SDK not yet installed; no events sent today. Listed in advance so consent + transfer disclosures are in place when the integration ships. | Page views, event metadata, anonymous device identifiers | USA | SCC Module 2 + PostHog DPA; consent-gated for EU/UK visitors | 2026-02-01 |
| Better Stack (partial) | Uptime monitoring (heartbeat receiver active). Status page + on-call alerting **configured but not yet exercised** — endpoints reserved; outbound posting code lands in Prompt 20. | Heartbeat events, response codes, alert metadata | EU | In-EEA; no transfer mechanism required | 2026-04-01 |
Affiliates
BttrLabs Private Limited may engage its own affiliates as subprocessors. As of the effective date above, BttrLabs has no affiliates engaged in processing Customer Content.
Change log
Previous versions of this page are available on request to privacy@watari.ai. Material changes (additions, replacements) are also logged in the git history of this page in the Watari source repository.