— Subprocessors

Every third party that touches your data.

Last updated: 2026-05-20

These are the vendors Mallín uses to operate the service. Each one has a specific role, processes a specific subset of your data, and operates under its own data-processing terms. We update this page whenever we add or remove a vendor — we will not silently expand the list.

VendorPurposeWhat we sendRegionStatus
Anthropic
Privacy terms ↗
AI model inference (Claude API) — brief generation, chat replies, stakeholder analysisDeal substrate, call transcripts, your prompts. No auth tokens, no PII outside deal context.United StatesActive
Supabase
Privacy terms ↗
Primary database (Postgres) + storage for customer data, accounts, deals, notes, audit logsAll customer data at rest. Encrypted with AES-256.United States (AWS US-East)Active
Clerk
Privacy terms ↗
Authentication, session management, multi-factor authentication, organization membershipAccount email, hashed password, MFA secrets, session tokens. No deal data.United StatesActive
Vercel
Privacy terms ↗
Web hosting, edge runtime, serverless function execution, deployment platformAll HTTP traffic transits Vercel edge. Application logs (retained ~30 days). Secrets stored in encrypted env-var store.United States (primary) + global edge for static assetsActive
Resend
Privacy terms ↗
Transactional email (pilot signup notifications, contact form deliveries, account emails)Recipient email, message subject + body. No deal data.United StatesActive
HubSpot (when connected)
Privacy terms ↗
CRM integration — Mallín reads deal/contact/account data and writes back notes, activities, tasks per your write-through configurationWhatever your HubSpot OAuth scopes grant. Governed by your HubSpot tenant's permissions and your CRM admin.Determined by your HubSpot accountActive
Salesforce (when connected)
Privacy terms ↗
CRM integration (planned) — same pattern as HubSpotDetermined by your Salesforce OAuth scopesDetermined by your Salesforce orgPlanned
Pipedrive (when connected)
Privacy terms ↗
CRM integration (planned) — same pattern as HubSpotDetermined by your Pipedrive OAuth scopesDetermined by your Pipedrive accountPlanned
GitHub
Privacy terms ↗
Source code repository, deployment trigger (CI/CD), engineering audit trailSource code only. No customer data. No deal substrate.United StatesActive

How we evaluate subprocessors

  • Each subprocessor must have a published data-handling policy or DPA we can review.
  • Each must operate under encryption (in transit + at rest) standards equivalent to ours.
  • Where possible, we choose subprocessors with current SOC 2 or equivalent third-party attestation.
  • We minimize what we send to each — the data table above lists the actual scope, not the contractual maximum.

Changes

When we add a new subprocessor, this page is updated and the change appears in the "Last updated" date at the top. Customers on active pilots are notified by email of new subprocessors at least 14 days before they go live.

Questions

Subprocessor questions, DPA requests, customer-specific arrangements: hello@mallin.io.