Covrabl

Subprocessors

Last updated: May 21, 2026

A subprocessor is a third-party service that Covrabl relies on to operate the platform. This page lists every subprocessor that may process customer data, what data they handle, and where they’re located.

We commit to keeping this list current. When a subprocessor is added or removed we update this page; significant changes are also announced to active customers via email.

Cloudflare
Privacy policy →
Object storage (R2) · Global (Cloudflare network)
Uploaded policy documents (PDFs, images). Stored encrypted at rest.
Railway
Privacy policy →
Application hosting + managed PostgreSQL · United States
Application database (user accounts, policies, agency relationships, audit logs). Encrypted at rest by default.
Vercel
Privacy policy →
Frontend (Next.js) hosting · Global edge network
Static frontend assets only. No customer data is stored on Vercel — all customer data flows directly between the browser and the Railway-hosted API.
Anthropic
Privacy policy →
AI document extraction (primary) · United States
Text extracted from uploaded policy documents is sent to Anthropic (Claude) for structured-field extraction — carrier, policy number, coverage amounts, deductibles, renewal dates, and similar fields. Per Anthropic’s API terms, customer data submitted to the API is NOT used to train models. Documents themselves are not sent to the model; only the extracted text.
OpenAI
Privacy policy →
AI chat / Ask-the-policy assistant · United States
Question text and the relevant policy-text excerpts are sent to OpenAI when a user uses the "Ask Covrabl" chat to ask a question about their coverage. Per OpenAI’s API policy, this data is NOT used to train models. Not used for document extraction.
Stripe
Privacy policy →
Payment processing · United States
Billing email, subscription identifiers, and payment-method tokens (never raw card numbers — Stripe collects these directly via their secure elements). Covrabl stores only the Stripe customer and subscription IDs on its own servers.
Resend
Privacy policy →
Transactional email delivery · United States
Recipient email addresses and email body content (renewal reminders, invitation emails, password resets, share notifications).
GitHub
Privacy policy →
Source code hosting · United States
Application source code only. No customer data.
What we don’t do: We do not sell, rent, or trade customer data. We do not use customer data to train AI models. Aggregated, fully-anonymized analytics may be used internally to improve the product but never shared externally.

Questions about our subprocessors? Email privacy@covrabl.com.