Subprocessors
This page lists the third-party service providers (subprocessors) that Foldly uses to operate the platform. It is intended for workspace owners, security reviewers, and procurement teams evaluating Foldly's vendor footprint.
For general security and data handling information, see Security & Data Handling. For legal terms, see the Privacy Policy.
What Is a Subprocessor
In this context, a subprocessor is any third-party service provider that may receive, process, or store data on behalf of Foldly as part of delivering the product. This includes infrastructure providers, authentication services, AI processing providers, and operational services.
Each subprocessor listed below is used for a specific function and receives only the categories of data necessary for that function.
Current Subprocessors
The following providers are part of Foldly's current production infrastructure.
Clerk
User authentication
Name, email address, authentication credentials
Handles sign-in, sign-up, session management, and billing plan gating.
Supabase
Database and primary file storage
All application data, uploaded files, imported files
PostgreSQL database with row-level security. Default file storage provider.
Vercel
Application hosting and AI gateway
Application requests, serverless function execution, AI API routing
Hosts the production application and cron workers. Routes AI requests to cloud providers via the Vercel AI Gateway.
Mailgun
Transactional email and inbound email processing
Email addresses, email content, file attachments
Sends verification codes, upload notifications, and follow-up reminders. Receives inbound emails for the email ingestion pipeline.
Upstash
Distributed rate limiting and ephemeral state
Rate limit counters, OTP codes, deduplication keys
Redis-based. All data is ephemeral with short TTLs (seconds to minutes). No persistent customer data is stored.
NVIDIA NIM
AI document processing (default provider)
File content sent via API for classification, summarization, extraction, and filing
Default AI provider. Connects directly via OpenAI-compatible API.
VirusTotal
Malware scanning
File SHA-256 hashes; file content for unknown files
Scans uploaded and imported files. Files over 32 MB are not submitted (VirusTotal size limit).
Google Gmail API
Historical email inbox import
Email headers, body preview (500 characters), attachment file contents, message identifiers
Optional. Active only when a user explicitly connects their Gmail account. Read-only access (gmail.readonly scope). See Google Data Access and Gmail Import.
Conditional and Alternate Providers
The following providers are supported in the codebase but are not active by default. They may be activated through environment configuration.
Google Cloud Storage
File storage (alternate provider)
Active when STORAGE_PROVIDER is set to gcs. Replaces Supabase Storage for file uploads and imports.
Cloudflare R2
Temporary ZIP archive delivery
Active only for the async-archive download tier (large bulk downloads). ZIP files are auto-deleted after 24 hours. Does not replace the primary file store.
Google Gemini
AI document processing (alternate provider)
Available through the Vercel AI Gateway when configured. Not active by default.
Moonshot Kimi
AI document processing (alternate provider)
Available through the Vercel AI Gateway when configured. Not active by default.
Anthropic Claude
AI document processing (alternate provider)
Available through the Vercel AI Gateway when configured. Not active by default.
Ollama
AI document processing (local development only)
Active when AI_PROVIDER is set to ollama. Runs locally and does not send data to external services. Not used in production.
When alternate AI providers are activated, file content is sent to those providers via their APIs for processing. Each provider's own data handling and retention practices are governed by their respective terms of service and privacy policies.
Data Categories by Function
This section summarizes which categories of data may be processed by subprocessors, grouped by product function rather than by provider.
Authentication and account management: Name, email address, and authentication credentials are processed by Clerk.
File storage: Uploaded files, imported files, and file metadata are stored by the configured storage provider (Supabase Storage by default, Google Cloud Storage when configured).
AI document processing: File content (text, images, PDF pages) is sent to the active AI provider for classification, summarization, data extraction, filing decisions, and document comparison. AI analysis results are stored in Foldly's database, not with the AI provider.
Email operations: Email addresses, email content, and file attachments are processed by Mailgun for transactional and inbound email. For Gmail imports, email headers, body previews, and attachment contents are read from the connected Gmail account.
Malware scanning: File hashes (and file content for previously unknown files) are sent to VirusTotal for scanning. Files over 32 MB are excluded.
Rate limiting and operational state: Ephemeral counters and keys are stored in Upstash Redis. This data auto-expires and contains no persistent customer content.
Temporary downloads: When Cloudflare R2 is configured, bulk download ZIP archives are staged temporarily and auto-deleted after 24 hours.
What This Page Does Not Cover
This page describes Foldly's current subprocessor footprint based on the production codebase and published legal pages. The following topics are intentionally not addressed here because Foldly does not currently make public claims about them:
Compliance certifications: Foldly does not currently hold or claim SOC 2, ISO 27001, HIPAA, or similar certifications.
Data residency guarantees: Foldly does not currently guarantee that data is stored in a specific geographic region. Data residency depends on the infrastructure providers used (Supabase, Vercel, and others).
Data processing agreements (DPAs): Foldly does not currently publish a standard DPA.
Subprocessor change notifications: Foldly does not currently operate a formal subprocessor change notification program.
Provider-specific SLAs or retention policies: Each provider's service terms govern their own availability and data retention. Foldly does not restate or guarantee those terms.
Related Pages
Trust Center: Overview of all published trust documentation
Security & Data Handling: Storage architecture, access controls, encryption, and security measures
Upload Links and Access Controls: Link types, roles, editor verification, and owner-configurable protections
Google Data Access and Gmail Import: Gmail integration, OAuth handling, and imported data lifecycle
Privacy Policy: Full privacy policy including the subprocessor table and Google User Data section
Terms of Service: Terms of service
Questions
For questions about Foldly's subprocessors or data handling practices, contact [email protected].
Last updated: March 29, 2026
Last updated
Was this helpful?