Subprocessors
Last updated: May 3, 2026
Phoenix Horizon, Inc. ("Phoenix") uses the third-party subprocessors listed below to deliver Rush and related services. Each subprocessor is bound by a written agreement that requires equivalent security and confidentiality protections to those that Phoenix provides under its own Privacy Policy and Terms of Service.
Change notice. We will give existing customers at least 30 days' notice before adding or replacing a Critical or High tier subprocessor that processes customer personal data. Notices are posted on this page and emailed to account owners. Customers may object by contacting privacy@getrush.ai within the notice period.
Cross-border transfers. Where a subprocessor is established outside the EEA or the UK, transfers are governed by the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by encryption in transit and at rest.
Tiers. Critical = handles customer data on the production path; SOC 2 Type 2 + DPA required. High = handles operational data on Phoenix's behalf; SOC 2 Type 2 or ISO 27001 + DPA required. Low = invoked only when a specific agent the user installs requires the API; the user is notified in the agent's description.
| Subprocessor | Purpose | Region | Attestation | Tier |
|---|---|---|---|---|
| Supabase | Managed Postgres (sessions metadata, usage metrics, audit logs, accounts) | EU (or US — see notice below) | SOC 2 Type 2 | Critical |
| Hetzner | Compute infrastructure for api.prix.dev | Germany (EU) | ISO 27001 | Critical |
| Cloudflare | CDN, DNS, R2 object storage, Origin CA, Workers | Global anycast | SOC 2 Type 2; ISO 27001/27018; PCI | Critical |
| Stripe | Payments and subscription billing | United States (global) | SOC 2 Type 2; PCI DSS Level 1 | Critical |
| Anthropic | LLM inference (Claude family) routed through our proxy | United States | SOC 2 Type 2 | Critical |
| OpenAI | LLM inference routed through our proxy | United States | SOC 2 Type 2 | Critical |
| OpenRouter | LLM routing fallback | United States | Self-attested | Critical |
| OAuth and Gmail / Calendar / Sheets API access (when user authorizes) | United States / global | SOC 2 Type 2; ISO 27001/27018 | Critical | |
| Microsoft | OAuth and Microsoft 365 API access (when user authorizes) | United States / EU | SOC 2 Type 2; ISO 27001 | Critical |
| Slack | OAuth (workspace integration) when user authorizes | United States | SOC 2 Type 2; ISO 27001 | High |
| Twitter (X) | OAuth when user authorizes | United States | SOC 2 Type 2 | High |
| Notion | OAuth when user authorizes | United States | SOC 2 Type 2 | High |
| WorkOS | Single sign-on for organisations | United States | SOC 2 Type 2 | Critical |
| 1Password Business | Encrypted secrets vault for production secrets | Per tenant | SOC 2 Type 2 | Critical |
| Tailscale | Zero-trust overlay network for administrative access | Global | SOC 2 Type 2 | Critical |
| GitHub | Source code and CI | United States | SOC 2 Type 2 | High |
| Better Stack | Centralized log storage | EU | SOC 2 Type 2 | High |
| Resend | Transactional and operational email | United States | SOC 2 Type 2 | High |
| Grafana Cloud | Metrics dashboards and alerting | United States / EU | SOC 2 Type 2; ISO 27001 | High |
| PostHog | Product analytics (subject to your consent) | United States / EU | SOC 2 Type 2 | High |
| Sentry | Crash and error reports | United States | SOC 2 Type 2 | High |
| Telegram | Operational alerts only — no customer content; migration to PagerDuty in progress | Global | Self-attested | High |
| Sendblue | iMessage gateway for outbound notifications | United States | Self-attested | High |
| Higgsfield | Image / video generation (only when invoked by an agent the user has installed) | United States | Variable | Low |
| Replicate | Model inference (only when invoked by an agent) | United States | Variable | Low |
| Perplexity | Web research API (only when invoked by an agent) | United States | Variable | Low |
| Deepgram | Speech-to-text (only when invoked by an agent) | United States | SOC 2 Type 2 | Low |
| ElevenLabs | Text-to-speech (only when invoked by an agent) | United States | SOC 2 Type 2 | Low |
| Hume | Affective voice (only when invoked by an agent) | United States | Variable | Low |
| Exa | Search API (only when invoked by an agent) | United States | Variable | Low |
| Apify | Web scraping (only when invoked by an agent) | EU | Variable | Low |
| DataForSEO | SEO data (only when invoked by an agent) | United States | Variable | Low |
| Wolfram | Computation API (only when invoked by an agent) | United States | Variable | Low |
| Apollo | Sales prospecting (Phoenix internal only — no customer data) | United States | SOC 2 Type 2 | Low |
| Late.dev | Social scheduling (only when invoked by an agent) | United States | Variable | Low |
| Alpha Vantage | Financial data (only when invoked by an agent) | United States | Variable | Low |
| Financial Modeling Prep | Financial data (only when invoked by an agent) | United States | Variable | Low |
Questions or objections
Contact privacy@getrush.ai with any question about a subprocessor. We respond within 30 days.