Clarita Technology Inc. (“Clarita”) engages the following third-party sub-processors to assist in providing the Clarita platform. This page is maintained in accordance with Section 7 of our Data Processing Agreement.
We will update this page at least thirty (30) days before engaging any new sub-processor or making material changes to an existing sub-processor’s role. To receive notifications of changes, subscribe below.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) — Textract aws.amazon.com Amazon Web Services, Inc. | PDF and document processing; optical character recognition (OCR) and data extraction from uploaded certificates of insurance | Certificate of insurance documents and their contents, including named insured information, policy details, and contact data | United States (us-east-1, Virginia) |
| Anthropic anthropic.com Anthropic, PBC | AI-powered interpretation and analysis of certificate of insurance documents; extraction of structured data from unstructured document content | Certificate of insurance document contents, including named insured information, coverage details, policy numbers, and contact data | United States (San Francisco, CA) |
| Google — Google Authentication cloud.google.com Google LLC | OAuth-based user authentication; identity verification for single sign-on (SSO) | Email address, name, profile information provided by user’s Google account during authentication | United States (Global infrastructure) |
| Microsoft — Azure Authentication azure.microsoft.com Microsoft Corporation | OAuth-based user authentication; identity verification for single sign-on (SSO) via Microsoft / Azure AD accounts | Email address, name, profile information provided by user’s Microsoft account during authentication | United States (Global infrastructure) |
| Supabase supabase.com Supabase, Inc. | Cloud database hosting; backend infrastructure including data storage, real-time subscriptions, and API services | All Customer Data including account information, certificate of insurance data, usage data, and authentication records | Canada (AWS ca-central-1, Montreal) |
| Twilio — SendGrid sendgrid.com Twilio Inc. | Transactional and notification email delivery, including account confirmations, password resets, compliance alerts, and certificate expiration notifications | Email addresses, user names, notification content and metadata | United States (Colorado) |
| Stripe stripe.com Stripe, Inc. | Payment processing; subscription billing, invoicing, and payment method management | Customer name, email address, billing address, payment card details, transaction history, and tax identifiers | United States (San Francisco, CA) |
| Vercel vercel.com Vercel Inc. | Application hosting, deployment, and content delivery; front-end infrastructure and serverless functions | IP addresses, request metadata, session tokens, and application traffic routed through the platform | United States (Global edge network; primary: us-east-1, Virginia) |
To receive email notifications when this list is updated, send a request to:
In accordance with our Data Processing Agreement, we provide at least 30 days’ notice before engaging a new sub-processor.
Clarita’s primary database infrastructure is hosted in Canada (AWS ca-central-1, Montreal region) via Supabase. Certain processing activities, including PDF extraction and AI-powered document interpretation, are performed by sub-processors located in the United States. All sub-processors are contractually bound by data processing agreements that impose obligations at least as protective as those set forth in Clarita’s Data Processing Agreement.
In accordance with Quebec’s Act respecting the protection of personal information in the private sector (as amended by Law 25), Clarita has conducted privacy impact assessments for all cross-border transfers of personal information. Details are available upon request by contacting privacy@clarita.app.
If you have a reasonable, good-faith objection to a new or replacement sub-processor on data protection grounds, you may notify us in writing within fifteen (15) days of receiving notice. We will work with you in good faith to address your concerns. For details on the objection process, see Section 7.4 of our Data Processing Agreement.
Clarita evaluates each sub-processor’s security posture, data protection practices, and compliance certifications before engagement. Sub-processors are required to maintain appropriate technical and organizational measures to protect personal data. Key certifications held by our sub-processors include SOC 2 Type II, ISO 27001, and, where applicable, HIPAA compliance.