Trust Center
Sub-processors
The third-party services that may process customer personal data on SendTax’s behalf.
Fly.io
Application hosting + managed Postgres/Redis

Cloudflare R2
Document storage (envelope-encrypted)

Google Cloud KMS
Key custody for envelope encryption

Clerk
Authentication + identity
Stripe Identity
KYC verification (government ID + selfie) — 90-day retention
Resend
Transactional + inbound email
Sentry
Error monitoring (scrubbed)
PostHog
Product analytics — no PII, no session recording

Modal
Cloud ML inference for document classification
This page lists the third-party services that may process customer personal data on SendTax's behalf. We maintain it under the Vendor Management Policy, which governs how these sub-processors are selected, monitored, and removed.
All sub-processors below are operated in the United States and serve SendTax's U.S. operations. This is consistent with our stated commitment to U.S.-only data residency for customer information; see our Privacy Policy.
Tier 1 sub-processors
These vendors may process identifiable customer personal data in the ordinary course of delivering SendTax's services.
| Vendor | Service to SendTax | Personal data processed | Region |
|---|---|---|---|
| Fly.io Security | Application hosting, managed PostgreSQL, managed Redis | All customer data stored or processed by SendTax (tax-return data, identity documents, profile, audit logs). Documents are encrypted at the application layer before being written to managed storage. | iad (US East — Ashburn, Virginia) |
| Cloudflare R2 Security | Object storage for customer documents and ML models | Customer document files. Each file is encrypted by SendTax using AES-256-GCM envelope encryption before upload; R2 additionally encrypts at rest at the storage layer. | us-east-1 |
| Google Cloud KMS Security | Key custody for document envelope encryption (KEK) | Cryptographic key material only. KMS never sees plaintext customer data. SendTax authenticates to KMS using Workload Identity Federation — no long-lived service-account keys in production. | us-east1 |
| Clerk Security | Identity provider and authentication | Authentication identifiers (email, name), password material (handled inside Clerk, never seen by SendTax), MFA enrollment state, sign-in event history. Environment-segmented (Clerk-Dev / Clerk-Staging / Clerk-Production). | United States |
| Stripe Identity Trust | KYC verification — government photo ID and selfie/liveness capture for filers and tax preparers | Government-issued photo ID images, selfie images, extracted name/DOB. SendTax's commitment under Data Retention Policy §8 is to delete each artifact 90 days after verification completes, requesting Stripe-side redaction (via the verification_session.redact API, which is asynchronous and may take up to 4 days to complete). | United States |
| Resend Security | Transactional and inbound email | Email addresses and email content for messages SendTax sends to or receives from customers (account email, incident notifications, document-related correspondence). | United States |
| Sentry Security | Error monitoring | Application error context. SendTax scrubs known sensitive fields before transmission; payloads may contain opaque internal identifiers and request metadata. | United States |
| PostHog Security | Product analytics | Pseudonymized product-usage events. Configured to PostHog's U.S. cloud (us.i.posthog.com). Autocapture is off; only explicit milestone events fire. Session recording is not enabled. No personally identifiable information (e.g., document content, SSNs, return values) is captured in events. | United States (us.i.posthog.com) |
| Modal Security | Cloud machine-learning inference for document classification | Document image content while a classification job is running. Returns label predictions; does not persist customer document content beyond the inference window. Falls back to a local ONNX model when the cloud classifier is unavailable. | United States |
Vendor security documentation
Each vendor row above links directly to that vendor's canonical trust or security page, where you can review its security program, certifications, and the terms of its Data Processing Agreement (DPA).
On DPAs: SendTax has not yet executed signed DPAs with each Tier 1 sub-processor. Each vendor's published DPA terms apply by default through their standard terms of service; we will execute named DPAs as we move toward enterprise contracts and SOC 2 attestation. Customers who need a signed DPA chain in place before onboarding can contact [email protected].
Internal-only tools (not sub-processors)
The following vendors are used by SendTax operators but do not, in normal operation, process customer personal data. They are listed for transparency.
| Vendor | Use |
|---|---|
| GitHub | Source-code hosting. Customer personal data is never deliberately written to source control; automated secret-scanning runs on every commit. |
| 1Password | Operator credential storage. Used only by SendTax staff to access tooling; does not store customer personal data. |
| Fly.io Secrets | Encrypted runtime secret storage on the same Fly.io account as the application; covered by Fly.io's data terms in the Tier 1 row above. |
Changes to this list
When a Tier 1 sub-processor is added, removed, or replaced — or when an existing sub-processor expands the data categories it handles — we update this page and notify customers in advance where commercially reasonable, per Vendor Management Policy § 10. The notification mechanism is the same audited fan-out described in our Incident Response Policy § 8.
Objecting to a new sub-processor
Customers who object to a new sub-processor may contact SendTax at [email protected]. We will work with the customer to identify a mutually acceptable path; if no acceptable path is available, the customer may terminate their use of the affected service.
Revision history
| Date | Change |
|---|---|
| 2026-05-21 | Initial publication. |
| 2026-05-29 | Added Stripe Identity (KYC verification for filers and tax preparers). Effective date 2026-06-28 — 30-day advance notice per the change protocol above. |
Contact
| Sub-processor questions and objections | [email protected] |
| Security disclosures | [email protected] |
| General | [email protected] |
| Operating entity | Howell & Gibbs LLC |