Subprocessor and Provider Inventory

Last updated: June 3, 2026

This inventory explains which providers or provider-like operational systems are used by the service and why. Where provider countries or retention periods depend on deployment region, customer configuration, or provider policy, the row states the public configuration boundary and control rule. Secret values, customer records, backup dumps, and raw provider console exports are not published here.

Provider or systemStatusRoleData categoriesPurposeRetention / control boundary
SupabaseActiveAuthentication provider, Auth Admin API, public Edge Function URL surfaceEmail address, auth user id, sign-in metadata, access and refresh tokens, auth security logs, limited request metadataSign-in, session lifecycle, password verification/reset, Auth user deletion, Edge ingressAuthentication authority only. Service/product data writes route to Ubuntu bigcut_service through approved bridges after the 2026-05-15 cutover.
Google OAuthActive when Google sign-in is enabledOAuth identity provider used through Supabase AuthGoogle account identifier, email address, profile metadata returned by the OAuth flow, provider sign-in metadata, limited request metadataUser-requested Google sign-in and account session linkingOAuth provider only. Google does not receive customer audio, embeddings, local library contents, billing authority records, or release ledger authority from Bigcut in the normal sign-in flow.
Apple OAuthActive when Apple sign-in is enabledOAuth identity provider used through Supabase AuthApple account identifier, email address or private relay email when provided, profile metadata returned by the OAuth flow, provider sign-in metadata, limited request metadataUser-requested Apple sign-in and account session linkingOAuth provider only. Apple does not receive customer audio, embeddings, local library contents, billing authority records, or release ledger authority from Bigcut in the normal sign-in flow.
Paddle payment providerActive when billing is enabledPayment processor and merchant-of-record style billing provider, depending on checkout configurationProcessor customer id, subscription id, transaction id, invoice state, limited payment method reference, country and tax metadataCheckout, renewals, refunds, invoices, tax, chargeback handling, billing supportBigcut does not store full card numbers. Billing records may be retained for legal, tax, fraud, chargeback, and dispute obligations.
Vercel web hosting providerActive for the public web deploymentWeb hosting, serverless route runtime, deployment platform, cron trigger surfaceHTTP request metadata, redacted application logs, deployment environment names without valuesServe web app, account routes, billing cron/recovery routesDeployment evidence must not expose raw environment values or secrets. Current CLI/deploy evidence shows the public web project is active on Vercel and production serverless function builds now use icn1 after the Seoul region deployment; analytics status and log retention must be tracked from Vercel project evidence.
Cloudflare edge protection / tunnel / static asset CDN providerActive for public domains, DNS, edge proxying, origin tunnel, and static asset CDN/cacheDNS, edge protection, WAF/rate-limit layer, static asset CDN/cache, reverse proxy, and origin tunnelHTTP request metadata, IP-derived security metadata, edge routing metadata, WAF/rate-limit events, CDN/cache metadata for static assets, tunnel health metadata, redacted logsPublic ingress, TLS/edge delivery, static asset delivery, abuse prevention, availability, and origin protectionEdge provider only. Cloudflare is not product data authority, billing authority, release ledger authority, or customer library authority. Tunnel and DNS credentials are operator secrets and must not appear in public evidence.
Redis REST rate-limit providerConditional; not observed in Vercel public web env names during the 2026-06-03 CLI audit, and active only when the Redis REST URL and token are enabled and rate limiting is not disabledSecondary web/API rate-limit counter storeHashed rate-limit subject keys, policy id, fixed-window counter values, expiry/TTL metadata, and limited request metadata needed to apply the policyAbuse prevention, signup/account/billing route protection, and service availabilityRate-limit provider is not product data authority. Counters must use hashed subjects, short TTLs, and no customer audio, embeddings, tokens, secrets, raw provider payloads, billing ledger rows, or local library contents.
Ubuntu Docker host managed by BigcutActiveSelf-managed API, worker, Postgres, Redis, relay runtimeService/product DB rows, account governance rows, billing and credit ledger rows, operational logsCanonical service/product data runtime after cutoverBigcut-controlled operational system. Backup artifacts are sensitive and are not published.
Modal embedding compute providerActive when remote embedding mode is usedRemote embedding execution infrastructureCustomer audio in transient processing memory, generated embedding response metadata, limited operational job metadataExtract numerical embeddings when remote embedding mode is usedOriginal audio must not be written to long-term provider storage in normal service design.
AWS SQS queue providerActive for import queue wake-up and billing recovery where those paths are enabledImport queue wake-up signal and Paddle billing recovery replay bufferQueue message ids, item/job references, minimized Paddle billing recovery payload metadata, provider-scope hashes, redacted raw-HMAC prefixes, and encrypted confidential raw-HMAC subdocumentsWake import workers and buffer Paddle billing webhook recovery events during service DB outage handlingQueue is a signal/evidence buffer only. Ubuntu service DB and Paddle remain billing authority. Current CLI evidence shows ap-northeast-2 retention of 4 days for the import queue, 12 days for the billing recovery queue, and 14 days for the billing recovery DLQ. SQS evidence must not carry plaintext raw-HMAC values, raw provider payload exports, secrets, DB URLs, or customer records.
AWS Lambda webhook intake runtimeConditional when billing recovery SQS intake is enabledPaddle billing webhook recovery intake runtime before SQS handoffSigned Paddle webhook raw body in transient request memory, event id/type, minimized billing payload, provider-scope hashes, webhook secret version, Lambda request/correlation ids, and AWS-origin attestation metadataVerify Paddle signatures, minimize recovery payloads, encrypt raw-HMAC evidence, and enqueue redaction-safe recovery messagesIntake runtime is not billing authority and must not publish or store raw webhook bodies as customer evidence. Only minimized payload metadata, encrypted raw-HMAC subdocuments, and redacted attestation fields may leave the intake boundary. Current CLI evidence shows the sandbox Lambda CloudWatch log group retention is set to 90 days.
AWS KMS key-management providerConditional when billing recovery raw-HMAC recovery evidence is enabledKey-management boundary for Paddle billing recovery raw-HMAC confidential subdocumentsKMS key references, ciphertext blobs, encryption-context metadata, key-version metadata, and transient plaintext raw-HMAC values inside encrypt/decrypt operationsProtect raw-HMAC evidence needed for billing webhook recovery materialization without exposing plaintext raw-HMAC values in queues, logs, docs, or public evidenceKMS is not billing authority. Plaintext raw-HMAC values must not be logged, stored in SQS as plaintext, printed in evidence, or copied into docs; failures must expose only sanitized error codes/classes. Current AWS management-event CloudTrail logging is enabled with a 365-day S3 log lifecycle.
S3-compatible temporary object storageConditionalTemporary import object transferTemporary uploaded audio/object references and checksums while import is pendingMove import objects to workers without making object storage the authorityLifecycle deletion and DB lease/receipt cleanup must be documented before production use.
Customer-connected S3 cloud storageConditional when Enterprise Catalog Cloud Storage is enabledCustomer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloudCustomer storage object metadata, server-resolved object references, short-lived audio relay bytes during user-initiated import, publish manifest metadataDiscover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storageCustomer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports.
Dropbox customer-connected cloud storageActive when Enterprise Catalog Cloud Storage is enabled for DropboxCustomer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloudCustomer storage file metadata, server-resolved file references, short-lived audio relay bytes during user-initiated import, publish manifest metadataDiscover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storageCustomer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports.
SharePoint or Microsoft Graph customer-connected cloud storageActive when Enterprise Catalog Cloud Storage is enabled for Microsoft storageCustomer-managed Microsoft cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloudDrive/item metadata, server-resolved file references, short-lived audio relay bytes during user-initiated import, publish manifest metadata, and connector secret referencesCustomer-approved Microsoft cloud audio discovery/import through the Connected Storage boundaryCustomer Microsoft storage remains customer-controlled. Enablement requires customer notice review, tests, provider readiness evidence, and public inventory updates before expanding scopes or storage behavior.
Sentry error monitoring providerActive for configured web/server/desktop monitoringError monitoring and alertingRedacted stack traces, runtime metadata, error categoryReliability monitoring and incident responseDesktop error reporting is opt-in where product policy says so. Web/server operational monitoring may run when configured for security and reliability. Customer audio, embeddings, secrets, auth tokens, DB URLs, and raw provider payloads must not be included.
DMCA.com badge infrastructureActive on pages that render the DMCA badgeCopyright protection badge script, image, and status link providerBrowser request metadata for badge script/image/status requests, badge protection identifier, referrer and network metadata handled by DMCA.com according to its policiesDisplay copyright protection badge and link to protection statusBadge provider only. DMCA.com does not receive customer audio, embeddings, local library data, billing authority records, or release ledger authority from Bigcut through the badge integration.
Mattermost internal alert providerActive for configured internal alert deliveryInternal alert deliveryRedacted operational alert summaries, counts, masked email references, and compact user references when needed for signup, security, or incident triageOperator incident and activity notificationAlerts must avoid raw customer identifiers, full email addresses, bearer tokens, secrets, DB URLs, raw provider payloads, customer audio, embeddings, and local library data.
SMTP/email provider used through Nodemailer or Python smtplibActive for configured transactional and operational email deliveryTransactional and operational email deliveryRecipient email address, delivery metadata, account closure, support, or operational alert email contentAccount closure confirmation, support, operational notices, and configured reliability alertsEmail content must avoid secrets and unnecessary customer data. Actual provider is determined by the configured SMTP host and Gmail OAuth2 setting.