What this page is
dist0 uses a small set of third-party companies to run the Service. When one of those companies processes personal information on our behalf, they are a “subprocessor” under our Privacy Policy and the data protection laws that apply to us (GDPR, UK GDPR, and similar regimes).
This page lists the current subprocessors, what each one does, what customer data they may process, and where the processing happens. We enter into a data processing agreement with each subprocessor before handing over data, and we review the list regularly.
Infrastructure and hosting
These vendors host the application and store customer data. All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or later.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Vercel Inc. | Web application hosting, edge delivery, build pipeline. | Inputs, Output, account metadata, request logs. | United States |
| Neon Inc. | Managed Postgres database (primary application store). | Inputs, Output, account records, Slack workspace metadata. | United States |
| Fly.io (Hydrobyte Inc.) | Background workers for digest builds and scheduled jobs. | Inputs and Output processed during a job run. | United States |
AI and large language model providers
dist0 sends Inputs to these providers to generate audit findings, drafts, summaries, and Slack assistant responses. We use them under their standard enterprise or API terms, which do not train general-purpose models on submitted data. Providers may retain inputs and outputs briefly under their standard abuse-monitoring policies.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| OpenAI, L.L.C. | Large language model inference (audits, drafts, classifiers). | Inputs sent for a specific request; no email or account identifiers. | United States |
| Anthropic, PBC | Large language model inference (planning, longer-context calls). | Inputs sent for a specific request; no email or account identifiers. | United States |
| OpenRouter, Inc. | Routing layer that forwards LLM calls to model providers above. | Inputs and Output for routed calls. | United States |
Email and Slack
These vendors deliver messages between you and dist0. Slack is listed here because, when you install the dist0 Slack bot, Slack itself processes the messages routed to our app on the way to our backend.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Resend, Inc. | Transactional and waitlist email delivery. | Email addresses, message content sent to you. | United States |
| Slack Technologies, LLC | When you install the dist0 Slack bot, Slack delivers messages and events to dist0. | Slack workspace and user identifiers, messages routed to the bot. | United States |
Analytics
We use one privacy-friendly analytics tool to understand aggregate usage. We do not use third-party advertising cookies or tracking pixels for ad targeting.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Vercel Analytics (Vercel Inc.) | Aggregate, privacy-friendly page view and performance metrics. | Anonymized request signals; no cookies, no cross-site tracking. | United States |
Changes and notifications
We update this page when we add, remove, or replace a subprocessor. Subscribed customers and Slack workspace administrators can request email notifications of material changes by writing to support@dist0.com.
If you have an objection to a new subprocessor for legal or contractual reasons, contact us at the same address before the change takes effect so we can discuss alternatives.
Contact
For questions about subprocessors or to request a copy of a specific data processing agreement, email support@dist0.com.