Subprocessor and Provider Inventory
Last updated: June 3, 2026
This inventory explains which providers or provider-like operational systems are used by the service and why. Where provider countries or retention periods depend on deployment region, customer configuration, or provider policy, the row states the public configuration boundary and control rule. Secret values, customer records, backup dumps, and raw provider console exports are not published here.
| Provider or system | Status | Role | Data categories | Purpose | Retention / control boundary |
|---|---|---|---|---|---|
| Supabase | Active | Authentication provider, Auth Admin API, public Edge Function URL surface | Email address, auth user id, sign-in metadata, access and refresh tokens, auth security logs, limited request metadata | Sign-in, session lifecycle, password verification/reset, Auth user deletion, Edge ingress | Authentication authority only. Service/product data writes route to Ubuntu bigcut_service through approved bridges after the 2026-05-15 cutover. |
| Google OAuth | Active when Google sign-in is enabled | OAuth identity provider used through Supabase Auth | Google account identifier, email address, profile metadata returned by the OAuth flow, provider sign-in metadata, limited request metadata | User-requested Google sign-in and account session linking | OAuth provider only. Google does not receive customer audio, embeddings, local library contents, billing authority records, or release ledger authority from Bigcut in the normal sign-in flow. |
| Apple OAuth | Active when Apple sign-in is enabled | OAuth identity provider used through Supabase Auth | Apple account identifier, email address or private relay email when provided, profile metadata returned by the OAuth flow, provider sign-in metadata, limited request metadata | User-requested Apple sign-in and account session linking | OAuth provider only. Apple does not receive customer audio, embeddings, local library contents, billing authority records, or release ledger authority from Bigcut in the normal sign-in flow. |
| Paddle payment provider | Active when billing is enabled | Payment processor and merchant-of-record style billing provider, depending on checkout configuration | Processor customer id, subscription id, transaction id, invoice state, limited payment method reference, country and tax metadata | Checkout, renewals, refunds, invoices, tax, chargeback handling, billing support | Bigcut does not store full card numbers. Billing records may be retained for legal, tax, fraud, chargeback, and dispute obligations. |
| Vercel web hosting provider | Active for the public web deployment | Web hosting, serverless route runtime, deployment platform, cron trigger surface | HTTP request metadata, redacted application logs, deployment environment names without values | Serve web app, account routes, billing cron/recovery routes | Deployment evidence must not expose raw environment values or secrets. Current CLI/deploy evidence shows the public web project is active on Vercel and production serverless function builds now use icn1 after the Seoul region deployment; analytics status and log retention must be tracked from Vercel project evidence. |
| Cloudflare edge protection / tunnel / static asset CDN provider | Active for public domains, DNS, edge proxying, origin tunnel, and static asset CDN/cache | DNS, edge protection, WAF/rate-limit layer, static asset CDN/cache, reverse proxy, and origin tunnel | HTTP request metadata, IP-derived security metadata, edge routing metadata, WAF/rate-limit events, CDN/cache metadata for static assets, tunnel health metadata, redacted logs | Public ingress, TLS/edge delivery, static asset delivery, abuse prevention, availability, and origin protection | Edge provider only. Cloudflare is not product data authority, billing authority, release ledger authority, or customer library authority. Tunnel and DNS credentials are operator secrets and must not appear in public evidence. |
| Redis REST rate-limit provider | Conditional; not observed in Vercel public web env names during the 2026-06-03 CLI audit, and active only when the Redis REST URL and token are enabled and rate limiting is not disabled | Secondary web/API rate-limit counter store | Hashed rate-limit subject keys, policy id, fixed-window counter values, expiry/TTL metadata, and limited request metadata needed to apply the policy | Abuse prevention, signup/account/billing route protection, and service availability | Rate-limit provider is not product data authority. Counters must use hashed subjects, short TTLs, and no customer audio, embeddings, tokens, secrets, raw provider payloads, billing ledger rows, or local library contents. |
| Ubuntu Docker host managed by Bigcut | Active | Self-managed API, worker, Postgres, Redis, relay runtime | Service/product DB rows, account governance rows, billing and credit ledger rows, operational logs | Canonical service/product data runtime after cutover | Bigcut-controlled operational system. Backup artifacts are sensitive and are not published. |
| Modal embedding compute provider | Active when remote embedding mode is used | Remote embedding execution infrastructure | Customer audio in transient processing memory, generated embedding response metadata, limited operational job metadata | Extract numerical embeddings when remote embedding mode is used | Original audio must not be written to long-term provider storage in normal service design. |
| AWS SQS queue provider | Active for import queue wake-up and billing recovery where those paths are enabled | Import queue wake-up signal and Paddle billing recovery replay buffer | Queue message ids, item/job references, minimized Paddle billing recovery payload metadata, provider-scope hashes, redacted raw-HMAC prefixes, and encrypted confidential raw-HMAC subdocuments | Wake import workers and buffer Paddle billing webhook recovery events during service DB outage handling | Queue is a signal/evidence buffer only. Ubuntu service DB and Paddle remain billing authority. Current CLI evidence shows ap-northeast-2 retention of 4 days for the import queue, 12 days for the billing recovery queue, and 14 days for the billing recovery DLQ. SQS evidence must not carry plaintext raw-HMAC values, raw provider payload exports, secrets, DB URLs, or customer records. |
| AWS Lambda webhook intake runtime | Conditional when billing recovery SQS intake is enabled | Paddle billing webhook recovery intake runtime before SQS handoff | Signed Paddle webhook raw body in transient request memory, event id/type, minimized billing payload, provider-scope hashes, webhook secret version, Lambda request/correlation ids, and AWS-origin attestation metadata | Verify Paddle signatures, minimize recovery payloads, encrypt raw-HMAC evidence, and enqueue redaction-safe recovery messages | Intake runtime is not billing authority and must not publish or store raw webhook bodies as customer evidence. Only minimized payload metadata, encrypted raw-HMAC subdocuments, and redacted attestation fields may leave the intake boundary. Current CLI evidence shows the sandbox Lambda CloudWatch log group retention is set to 90 days. |
| AWS KMS key-management provider | Conditional when billing recovery raw-HMAC recovery evidence is enabled | Key-management boundary for Paddle billing recovery raw-HMAC confidential subdocuments | KMS key references, ciphertext blobs, encryption-context metadata, key-version metadata, and transient plaintext raw-HMAC values inside encrypt/decrypt operations | Protect raw-HMAC evidence needed for billing webhook recovery materialization without exposing plaintext raw-HMAC values in queues, logs, docs, or public evidence | KMS is not billing authority. Plaintext raw-HMAC values must not be logged, stored in SQS as plaintext, printed in evidence, or copied into docs; failures must expose only sanitized error codes/classes. Current AWS management-event CloudTrail logging is enabled with a 365-day S3 log lifecycle. |
| S3-compatible temporary object storage | Conditional | Temporary import object transfer | Temporary uploaded audio/object references and checksums while import is pending | Move import objects to workers without making object storage the authority | Lifecycle deletion and DB lease/receipt cleanup must be documented before production use. |
| Customer-connected S3 cloud storage | Conditional when Enterprise Catalog Cloud Storage is enabled | Customer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloud | Customer storage object metadata, server-resolved object references, short-lived audio relay bytes during user-initiated import, publish manifest metadata | Discover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storage | Customer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports. |
| Dropbox customer-connected cloud storage | Active when Enterprise Catalog Cloud Storage is enabled for Dropbox | Customer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloud | Customer storage file metadata, server-resolved file references, short-lived audio relay bytes during user-initiated import, publish manifest metadata | Discover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storage | Customer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports. |
| SharePoint or Microsoft Graph customer-connected cloud storage | Active when Enterprise Catalog Cloud Storage is enabled for Microsoft storage | Customer-managed Microsoft cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloud | Drive/item metadata, server-resolved file references, short-lived audio relay bytes during user-initiated import, publish manifest metadata, and connector secret references | Customer-approved Microsoft cloud audio discovery/import through the Connected Storage boundary | Customer Microsoft storage remains customer-controlled. Enablement requires customer notice review, tests, provider readiness evidence, and public inventory updates before expanding scopes or storage behavior. |
| Sentry error monitoring provider | Active for configured web/server/desktop monitoring | Error monitoring and alerting | Redacted stack traces, runtime metadata, error category | Reliability monitoring and incident response | Desktop error reporting is opt-in where product policy says so. Web/server operational monitoring may run when configured for security and reliability. Customer audio, embeddings, secrets, auth tokens, DB URLs, and raw provider payloads must not be included. |
| DMCA.com badge infrastructure | Active on pages that render the DMCA badge | Copyright protection badge script, image, and status link provider | Browser request metadata for badge script/image/status requests, badge protection identifier, referrer and network metadata handled by DMCA.com according to its policies | Display copyright protection badge and link to protection status | Badge provider only. DMCA.com does not receive customer audio, embeddings, local library data, billing authority records, or release ledger authority from Bigcut through the badge integration. |
| Mattermost internal alert provider | Active for configured internal alert delivery | Internal alert delivery | Redacted operational alert summaries, counts, masked email references, and compact user references when needed for signup, security, or incident triage | Operator incident and activity notification | Alerts must avoid raw customer identifiers, full email addresses, bearer tokens, secrets, DB URLs, raw provider payloads, customer audio, embeddings, and local library data. |
| SMTP/email provider used through Nodemailer or Python smtplib | Active for configured transactional and operational email delivery | Transactional and operational email delivery | Recipient email address, delivery metadata, account closure, support, or operational alert email content | Account closure confirmation, support, operational notices, and configured reliability alerts | Email content must avoid secrets and unnecessary customer data. Actual provider is determined by the configured SMTP host and Gmail OAuth2 setting. |