Last updated May 23, 2026. To get notified by email whenever this page changes, email privacy@lossless-ai.com from the address on your account.
Cloud infrastructure
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Google Cloud (GCP) | Compute (Cloud Run), database (Cloud SQL), object storage (GCS), key management (KMS), logging, Cloud Tasks. | All categories of Customer Data and Lossless service data. | US-WEST1 (default) EU-WEST3 (EU opt-in) | DPA in place; SCCs available |
Authentication
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| WorkOS | Single sign-on (SSO), passkeys, directory sync for enterprise tenants. | Email, name, SSO identifier, IP at login. | US | DPA in place |
| Stytch | Backup auth provider (passwordless, magic links) — used for users not on SSO. | Email, IP, device user-agent. | US | DPA in place |
Payments
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Stripe | Credit-card billing, invoice issuance, tax compliance. | Name, billing address, last-four card digits, transaction history. We do not store full card numbers; Stripe holds them. | US | DPA in place; PCI DSS compliant vendor |
AI inference
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Anthropic | Large language model inference (Claude). Summaries, classification, Q&A on your records. | The minimum content needed to answer your specific request. Never OAuth tokens or payment instruments. | US | No training Enterprise agreement; configured per call. |
| OpenAI | LLM inference for select features (mostly embeddings and lighter tasks). | Same as above. | US | Zero-retention Zero-data-retention org tier; no logging. |
| Google Vertex AI / Gemini | LLM inference for select features. | Same as above. | US | No training Vertex enterprise; data-not-used-for-improvement configured. |
Vector store
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Pinecone | Vector embeddings of your records, used for fast semantic search. | Embeddings (not raw text); workspace-scoped namespaces. | US | DPA in place |
Connector providers (data inflow)
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Plaid | Bank, credit-card, mortgage, and investment account connectivity. | Account metadata, balances, transactions, account numbers, owner identifiers (last-four SSN where the institution provides it). | US | GLBA-regulated; DPA in place |
| Google (Gmail, Calendar, Drive) | OAuth read access to user-authorized Google Workspace surfaces. | Email content, calendar events, files (only what the user grants). | US | Standard OAuth scopes; we hold tokens, not credentials. |
| Microsoft 365 | Outlook / OneDrive equivalents. | Same as above for Microsoft accounts. | US | Standard OAuth scopes. |
| Rental platforms (Airbnb, VRBO, Hostaway, Guesty) | Listing, reservation, guest, message, and payout data for STR hosts who connect. | Guest profiles, reservation history, messages, payouts. | Varies | Per-platform OAuth + DPA where offered. |
Operational
| Vendor | Purpose | Data categories | Region | Contract |
|---|---|---|---|---|
| Resend | Transactional email delivery (signup, security alerts, deletion confirmations). | Email address; email body for the transactional message itself. | US | DPA in place |
| Sentry (or equivalent APM) | Application error monitoring. | Stack traces with PII scrubbed; user_id only, no content. | US | DPA in place; PII-scrub filter enabled. |
| GitHub | Source-code hosting. Does not process Customer Data. | n/a (not a customer-data subprocessor). | US | n/a |
Subscribe to updates. If you'd like to be notified of any change to this list — additions, removals, or scope changes — email privacy@lossless-ai.com from your account email. We notify all active customers automatically and post the update with at least 30 days' lead time.
Process for new subprocessors
- We complete a vendor diligence review: security posture, data minimization, DPA terms, sub-processing chain, breach history.
- We notify all active customers by email and post the addition on this page at least 30 days before the vendor receives any customer data.
- Customers who object may terminate without penalty during the notice window.
- After the notice window, the vendor goes live; the audit trail records the live date.
Subprocessors we have considered and declined
We do not use any third-party advertising network, analytics SDK with cross-site identifiers, attribution platform, or marketing-automation vendor that would receive product data. We have evaluated and declined the major players in each of those categories.