Trust Center · Subprocessors

Subprocessors

The third-party services that process Leapo user data on our behalf. We commit to keeping this list complete and current. If you're a B2B partner under contract, we notify you in advance of any new subprocessor.

Last updated: May 20, 2026 · 8 subprocessors listed

Subscribe to subprocessor changes

Partners under contract receive automatic notification of new subprocessors at least 30 days before they go live. Anyone else can subscribe by emailing security@leapo.app — we'll add you to the announcement list.

Supabase

Primary database, authentication, file storage

Website DPA

Data processed: All persistent user data: account profile, business-plan answers, AI usage logs, payment status, mentor pairings.
Country: Germany (EU) — eu-central-1 / Frankfurt, on AWS infrastructure
Transfer mechanism: EU-only — no international transfer
Provider certifications: SOC 2 Type IIHIPAA-readyISO 27001 (via AWS)

Vercel

Application hosting, serverless compute, edge CDN

Website DPA

Data processed: Transient request data (HTTP headers, request bodies) processed during a serverless function call. Not stored.
Country: EU regions for compute; global CDN for static assets
Transfer mechanism: EU compute hosts; CDN may serve static assets from non-EU edges (no PII in static assets).
Provider certifications: SOC 2 Type IIISO 27001

OpenAI

AI Coach, AI Lead Engine, Launch Kit, marketing-plan, social-plan, Instagram-bio generators (gpt-4o-mini)

Website DPA

Data processed: Prompt content sent to the API: niche, city, business-plan summary, user question. Personal identifiers are minimized — see Trust Center §5.
Country: United States
Transfer mechanism: Standard Contractual Clauses (SCCs) under OpenAI's Data Processing Addendum. API data is not used for training (OpenAI default since March 2023).
Provider certifications: SOC 2 Type IICCPA-compliant

Stripe

Payment processing, subscription billing, Customer Portal

Website DPA

Data processed: Billing email, name, payment-method metadata (we never see card numbers), subscription status. Card data is tokenized client-side and never touches our servers.
Country: Ireland (EU) for EU customers — Stripe Payments Europe Ltd
Transfer mechanism: EU controller (Stripe Ireland) for EU/EEA customers. Some operational data may flow to Stripe US under SCCs.
Provider certifications: PCI DSS Level 1SOC 2 Type IIISO 27001

Resend

Transactional email (welcome, milestone, password reset, etc.)

Website DPA

Data processed: Recipient email, recipient name (in greeting), email content (which may include AI-generated business artefacts the user opted to email themselves).
Country: United States (with EU sending IPs available)
Transfer mechanism: Standard Contractual Clauses (SCCs) under Resend's DPA.
Provider certifications: SOC 2 Type II

Sentry

Runtime error monitoring and crash reporting

Website DPA

Data processed: Stack traces, browser metadata, anonymous user ID (Supabase UUID). We do not attach email or name to Sentry events.
Country: United States (EU data residency available, in evaluation)
Transfer mechanism: SCCs under Sentry's DPA
Provider certifications: SOC 2 Type IIISO 27001

PostHog

Product analytics (anonymous funnel tracking)

Website DPA

Data processed: Anonymous device ID, page-view events, feature usage events. No email, name, or business-plan content is sent.
Country: United States (EU Cloud option available, in evaluation)
Transfer mechanism: SCCs under PostHog's DPA
Provider certifications: SOC 2 Type II

Google (OAuth)

Optional sign-in with Google account

Website DPA

Data processed: Only triggered when a user chooses Google sign-in. We receive: email, full name, profile picture URL. We do not access Gmail, Drive, or any other Google services.
Country: United States / global
Transfer mechanism: Data Processing Addendum (Google Cloud DPA) with SCCs for transfers.
Provider certifications: SOC 2 Type IIISO 27001ISO 27018