Sub-processor List

Last Updated: March 11, 2026 · Version 1.0

Complete list of third-party service providers that may process personal data as sub-processors of Bespoke Mentis, Inc.

GDPR Article 28(4) Compliance

All sub-processors listed below are contractually bound by data processing terms equivalent to those in our Data Processing Addendum (DPA). Bespoke Mentis remains fully liable for the performance of each sub-processor's data protection obligations. Enterprise customers may request notification of sub-processor changes: email with subject line "Subscribe to Sub-processor Notifications."

Current Sub-processors

Vercel, Inc.

Cloud infrastructure, hosting, CDN, and analytics

United States

Data processedPage view data, IP address (for routing and security), form submission data (in transit)

Used inAll products — infrastructure layer

CertificationSOC 2 Type II

Privacy policyhttps://vercel.com/legal/privacy-policy

Neon, Inc. (Vercel Postgres)

Managed PostgreSQL database

United States (AWS us-east-1)

Data processedForm submission records, CRM data, analytics events, Signal drafts, audit ledger, admin session data

Used inAll products — database layer

CertificationSOC 2 Type II

Privacy policyhttps://neon.tech/privacy-policy

OpenAI, L.L.C.

AI model inference (GPT-4 and successors)

United States

Data processedPublic Mentis chat messages (anonymous session — no name or email transmitted); AI prompt construction for admin tools

Used inMentis chat (public), MIOS admin intelligence tools

CertificationSOC 2 Type II

Privacy policyhttps://openai.com/privacy

Resend (Resend, Inc.)

Transactional email delivery

United States

Data processedRecipient name, email address, message subject and body for transactional notifications

Used inAll products — notification emails

CertificationSOC 2 Type II

Privacy policyhttps://resend.com/privacy

Twilio Inc. (SendGrid)

Transactional email delivery (backup)

United States

Data processedRecipient name, email address, message delivery logs (30-day retention)

Used inAll products — email delivery (secondary)

CertificationSOC 2 Type II, ISO 27001

Privacy policyhttps://www.twilio.com/legal/privacy

Google LLC

Google Calendar — meeting scheduling

United States (global CDN)

Data processedName, email address, meeting time, calendar event details

Used inWebsite — meeting scheduling

CertificationISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3

Privacy policyhttps://policies.google.com/privacy

Intuition Machines, Inc. (hCaptcha)

CAPTCHA and bot detection

United States

Data processedIP address, browser fingerprint signals, interaction patterns

Used inWebsite — Mentis chat human verification

CertificationGDPR-compliant (privacy-preserving design)

Privacy policyhttps://www.hcaptcha.com/privacy

LinkedIn Corporation

OAuth 2.0 authentication for social publishing (Strategic Signal Command — admin only)

United States

Data processedOAuth access tokens (encrypted AES-256-GCM at rest). Scopes: openid, profile, email, w_member_social, w_organization_social, rw_organization_admin.

Used inMIOS admin — Strategic Signal Command

CertificationSOC 2, ISO 27001

Privacy policyhttps://www.linkedin.com/legal/privacy-policy

Google LLC (Gmail OAuth)

Gmail OAuth 2.0 for outbound email delivery (Agent Conexus)

United States

Data processedOAuth access tokens (encrypted AES-256-GCM at rest). Scopes: send-only Gmail access. No email reading.

Used inAgent Conexus — outbound email delivery

CertificationISO 27001, SOC 2

Privacy policyhttps://policies.google.com/privacy

Change Log

March 11, 2026v1.0 — Initial published sub-processor list. 9 sub-processors disclosed.

Enterprise customers enrolled in change notifications will be notified by email at least 14 days before any addition or replacement of a sub-processor that processes EU/EEA personal data.