Subprocessor and Provider Inventory
Last updated: May 23, 2026
This inventory explains which providers or provider-like operational systems are used by the service and why. Secret values, customer records, backup dumps, and raw provider console exports are not published here.
| Provider or system | Status | Role | Data categories | Purpose | Retention / control boundary |
|---|---|---|---|---|---|
| Supabase | Active | Authentication provider, Auth Admin API, public Edge Function URL surface | Email address, auth user id, sign-in metadata, access and refresh tokens, auth security logs, limited request metadata | Sign-in, session lifecycle, password verification/reset, Auth user deletion, Edge ingress | Authentication authority only. Service/product data writes route to Ubuntu bigcut_service through approved bridges after the 2026-05-15 cutover. |
| Paddle or comparable payment provider | Active when billing is enabled | Payment processor, merchant of record, or comparable billing provider | Processor customer id, subscription id, transaction id, invoice state, limited payment method reference, country and tax metadata | Checkout, renewals, refunds, invoices, tax, chargeback handling, billing support | Bigcut does not store full card numbers. Billing records may be retained for legal, tax, fraud, chargeback, and dispute obligations. |
| Vercel or comparable web hosting provider | Active when web deployment is hosted there | Web hosting, serverless route runtime, cron trigger surface | HTTP request metadata, redacted application logs, deployment environment names without values | Serve web app, account routes, billing cron/recovery routes | Deployment evidence must not expose raw environment values or secrets. |
| Ubuntu Docker host managed by Bigcut | Active | Self-managed API, worker, Postgres, Redis, relay runtime | Service/product DB rows, account governance rows, billing and credit ledger rows, operational logs | Canonical service/product data runtime after cutover | Bigcut-controlled operational system. Backup artifacts are sensitive and are not published. |
| Modal or comparable embedding compute provider | Conditional | Remote embedding execution infrastructure | Customer audio in transient processing memory, generated embedding response metadata, limited operational job metadata | Extract numerical embeddings when remote embedding mode is used | Original audio must not be written to long-term provider storage in normal service design. |
| AWS SQS or comparable queue provider | Conditional | Import queue wake-up signal and Paddle billing recovery replay buffer | Queue message ids, item/job references, minimized Paddle billing recovery payload metadata, provider-scope hashes, redacted raw-HMAC prefixes, and encrypted confidential raw-HMAC subdocuments | Wake import workers and buffer Paddle billing webhook recovery events during service DB outage handling | Queue is a signal/evidence buffer only. Ubuntu service DB and Paddle remain billing authority. SQS evidence must not carry plaintext raw-HMAC values, raw provider payload exports, secrets, DB URLs, or customer records. |
| AWS Lambda or comparable webhook intake runtime | Conditional when billing recovery SQS intake is enabled | Paddle billing webhook recovery intake runtime before SQS handoff | Signed Paddle webhook raw body in transient request memory, event id/type, minimized billing payload, provider-scope hashes, webhook secret version, Lambda request/correlation ids, and AWS-origin attestation metadata | Verify Paddle signatures, minimize recovery payloads, encrypt raw-HMAC evidence, and enqueue redaction-safe recovery messages | Intake runtime is not billing authority and must not publish or store raw webhook bodies as customer evidence. Only minimized payload metadata, encrypted raw-HMAC subdocuments, and redacted attestation fields may leave the intake boundary. |
| AWS KMS or comparable key-management provider | Conditional when billing recovery raw-HMAC recovery evidence is enabled | Key-management boundary for Paddle billing recovery raw-HMAC confidential subdocuments | KMS key references, ciphertext blobs, encryption-context metadata, key-version metadata, and transient plaintext raw-HMAC values inside encrypt/decrypt operations | Protect raw-HMAC evidence needed for billing webhook recovery materialization without exposing plaintext raw-HMAC values in queues, logs, docs, or public evidence | KMS is not billing authority. Plaintext raw-HMAC values must not be logged, stored in SQS as plaintext, printed in evidence, or copied into docs; failures must expose only sanitized error codes/classes. |
| S3-compatible temporary object storage | Conditional | Temporary import object transfer | Temporary uploaded audio/object references and checksums while import is pending | Move import objects to workers without making object storage the authority | Lifecycle deletion and DB lease/receipt cleanup must be documented before production use. |
| Customer-connected S3 cloud storage | Conditional when Enterprise Catalog Cloud Storage is enabled | Customer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloud | Customer storage object metadata, server-resolved object references, short-lived audio relay bytes during user-initiated import, publish manifest metadata | Discover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storage | Customer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports. |
| Dropbox or comparable customer-connected cloud storage | Conditional when Enterprise Catalog Cloud Storage is enabled | Customer-managed cloud storage integration for Connected Storage discovery, import relay, and publish-to-cloud | Customer storage file metadata, server-resolved file references, short-lived audio relay bytes during user-initiated import, publish manifest metadata | Discover customer-approved cloud audio, import selected items to the local library through a relay, and publish approved local-library proof back to customer storage | Customer storage remains customer-controlled. Bigcut stores connector bindings, cursors, and secret references, not raw provider credentials. Public evidence must not expose raw paths, cursors, credentials, or provider console exports. |
| SharePoint or Microsoft Graph customer-connected cloud storage | Not active in the current release; conditional future integration | Customer-managed Microsoft cloud storage integration code path for future Connected Storage enablement | Drive/item metadata, server-resolved file references, and connector secret references if enabled later | Future customer-approved cloud audio discovery/import through the Connected Storage boundary | SharePoint live proof is excluded from the current release scope. Enablement requires updating this inventory, customer notice review, tests, and provider readiness evidence before production use. |
| Sentry or comparable error monitoring provider | Conditional | Error monitoring and alerting | Redacted stack traces, runtime metadata, error category | Reliability monitoring and incident response | Customer audio, embeddings, secrets, and auth tokens must not be included. |
| Mattermost or comparable internal alert provider | Conditional | Internal alert delivery | Redacted operational alert summaries and counts | Operator incident notification | Alerts must avoid customer identifiers, bearer tokens, secrets, DB URLs, and raw provider payloads. |
| SMTP/email provider used through Nodemailer | Conditional | Transactional email delivery | Recipient email address, delivery metadata, account closure or support email content | Account closure confirmation, support, operational notices | Email content must avoid secrets and unnecessary customer data. |