Trust Center

Sub-processors

The third-party services that may process customer personal data on SendTax’s behalf.

Effective: 2026-05-21Owner: Howell & Gibbs LLCStatus: v1 — initial publicationDownload PDF
  • Fly.io

    Application hosting + managed Postgres/Redis

  • Cloudflare R2

    Document storage (envelope-encrypted)

  • Google Cloud KMS

    Key custody for envelope encryption

  • Clerk

    Authentication + identity

  • Stripe Identity

    KYC verification (government ID + selfie) — 90-day retention

  • Resend

    Transactional + inbound email

  • Sentry

    Error monitoring (scrubbed)

  • PostHog

    Product analytics — no PII, no session recording

  • Modal

    Cloud ML inference for document classification

This page lists the third-party services that may process customer personal data on SendTax's behalf. We maintain it under the Vendor Management Policy, which governs how these sub-processors are selected, monitored, and removed.

All sub-processors below are operated in the United States and serve SendTax's U.S. operations. This is consistent with our stated commitment to U.S.-only data residency for customer information; see our Privacy Policy.


Tier 1 sub-processors

These vendors may process identifiable customer personal data in the ordinary course of delivering SendTax's services.

VendorService to SendTaxPersonal data processedRegion
Fly.io

Security
Application hosting, managed PostgreSQL, managed RedisAll customer data stored or processed by SendTax (tax-return data, identity documents, profile, audit logs). Documents are encrypted at the application layer before being written to managed storage.iad (US East — Ashburn, Virginia)
Cloudflare R2

Security
Object storage for customer documents and ML modelsCustomer document files. Each file is encrypted by SendTax using AES-256-GCM envelope encryption before upload; R2 additionally encrypts at rest at the storage layer.us-east-1
Google Cloud KMS

Security
Key custody for document envelope encryption (KEK)Cryptographic key material only. KMS never sees plaintext customer data. SendTax authenticates to KMS using Workload Identity Federation — no long-lived service-account keys in production.us-east1
Clerk

Security
Identity provider and authenticationAuthentication identifiers (email, name), password material (handled inside Clerk, never seen by SendTax), MFA enrollment state, sign-in event history. Environment-segmented (Clerk-Dev / Clerk-Staging / Clerk-Production).United States
Stripe Identity

Trust
KYC verification — government photo ID and selfie/liveness capture for filers and tax preparersGovernment-issued photo ID images, selfie images, extracted name/DOB. SendTax's commitment under Data Retention Policy §8 is to delete each artifact 90 days after verification completes, requesting Stripe-side redaction (via the verification_session.redact API, which is asynchronous and may take up to 4 days to complete).United States
Resend

Security
Transactional and inbound emailEmail addresses and email content for messages SendTax sends to or receives from customers (account email, incident notifications, document-related correspondence).United States
Sentry

Security
Error monitoringApplication error context. SendTax scrubs known sensitive fields before transmission; payloads may contain opaque internal identifiers and request metadata.United States
PostHog

Security
Product analyticsPseudonymized product-usage events. Configured to PostHog's U.S. cloud (us.i.posthog.com). Autocapture is off; only explicit milestone events fire. Session recording is not enabled. No personally identifiable information (e.g., document content, SSNs, return values) is captured in events.United States (us.i.posthog.com)
Modal

Security
Cloud machine-learning inference for document classificationDocument image content while a classification job is running. Returns label predictions; does not persist customer document content beyond the inference window. Falls back to a local ONNX model when the cloud classifier is unavailable.United States

Vendor security documentation

Each vendor row above links directly to that vendor's canonical trust or security page, where you can review its security program, certifications, and the terms of its Data Processing Agreement (DPA).

On DPAs: SendTax has not yet executed signed DPAs with each Tier 1 sub-processor. Each vendor's published DPA terms apply by default through their standard terms of service; we will execute named DPAs as we move toward enterprise contracts and SOC 2 attestation. Customers who need a signed DPA chain in place before onboarding can contact [email protected].


Internal-only tools (not sub-processors)

The following vendors are used by SendTax operators but do not, in normal operation, process customer personal data. They are listed for transparency.

VendorUse
GitHubSource-code hosting. Customer personal data is never deliberately written to source control; automated secret-scanning runs on every commit.
1PasswordOperator credential storage. Used only by SendTax staff to access tooling; does not store customer personal data.
Fly.io SecretsEncrypted runtime secret storage on the same Fly.io account as the application; covered by Fly.io's data terms in the Tier 1 row above.

Changes to this list

When a Tier 1 sub-processor is added, removed, or replaced — or when an existing sub-processor expands the data categories it handles — we update this page and notify customers in advance where commercially reasonable, per Vendor Management Policy § 10. The notification mechanism is the same audited fan-out described in our Incident Response Policy § 8.

Objecting to a new sub-processor

Customers who object to a new sub-processor may contact SendTax at [email protected]. We will work with the customer to identify a mutually acceptable path; if no acceptable path is available, the customer may terminate their use of the affected service.


Revision history

DateChange
2026-05-21Initial publication.
2026-05-29Added Stripe Identity (KYC verification for filers and tax preparers). Effective date 2026-06-28 — 30-day advance notice per the change protocol above.

Contact

Sub-processor questions and objections[email protected]
Security disclosures[email protected]
General[email protected]
Operating entityHowell & Gibbs LLC