Sub-processors
Last updated: March 2026
Covren uses the following third-party sub-processors to deliver our service. We notify customers of changes to this list per our Data Processing Agreement.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | AI classification and draft generation | Redacted change summaries (no secrets, PII, or raw code) | United States |
| Stripe | Billing and payment processing | Email, subscription plan, payment method (Stripe-hosted — we never store card data) | United States |
| SendGrid | Transactional email delivery | Email addresses, verification tokens | United States |
| Railway | Application hosting and compute | All application data (encrypted at rest and in transit) | United States |
| Railway PostgreSQL | Primary database | All tenant data (encrypted at rest) | United States |
| Railway Redis | Rate limiting and session cache | Session tokens, rate limit counters (no PII) | United States |
How we select sub-processors
Before engaging any sub-processor, we evaluate their security practices, data handling policies, and compliance certifications. All sub-processors are bound by contractual data protection obligations.
Change notifications
We will notify customers at least 30 days before adding or replacing a sub-processor. If you have concerns about a new sub-processor, you may object per the terms of your Data Processing Agreement.
Questions
For questions about our sub-processors or data processing practices, contact us at the email listed on our Security page.