Sub-processor Registry

Third-party service providers used to deliver the School-Core platform.

Effective May 1, 2026 · v1.0 — June 2026

Why this matters

School-Core uses the following third-party service providers (sub-processors) to deliver our platform. Each provider is bound by data processing agreements and maintains industry-standard security certifications.

This page is the canonical, public version of the registry referenced by our Privacy Policy and Data Processing Agreement.

Notice of changes

Schools are notified 30 days in advance of any changes to this list, as specified in our Data Processing Agreement.

Current sub-processors

Supabase (PostgreSQL)

Primary database hosting

Infrastructure

Data processed

All platform data (student records, staff records, academic data, communications)

Data location

Singapore (AWS ap-southeast-1)

SOC 2 Type IIHIPAA
Vercel

Application hosting and edge delivery

Infrastructure

Data processed

Application requests, server-side rendering, edge functions

Data location

Global (edge network)

SOC 2 Type IIGDPR
Cloudflare R2

File and document storage

Infrastructure

Data processed

User-uploaded documents, attachments, profile images, certificates, report PDFs

Data location

Configurable (region hints available)

SOC 2 Type IIISO 27001PCI DSS
Anthropic (Claude)

AI-powered educational features

AI Processing

Data processed

Prompts containing academic context (no PII stored by provider). See Privacy Policy §6 for details.

Data location

United States

SOC 2 Type II
OpenAI (GPT)

Alternative AI processing for specific features

AI Processing

Data processed

Educational prompts (no PII stored by provider). See Privacy Policy §6 for details.

Data location

United States

SOC 2 Type II
Stripe

Payment processing for subscriptions and billing

Payment

Data processed

Payment card details (handled directly by Stripe, never touches our servers), billing information

Data location

United States / Global

PCI DSS Level 1SOC 2 Type IIISO 27001
Resend

Transactional email delivery

Communication

Data processed

Email addresses, recipient names, email content (password resets, notifications, report card distribution)

Data location

United States

SOC 2 Type II
Sentry

Error monitoring and performance tracking

Monitoring

Data processed

Error context, stack traces, performance metrics. Configured to exclude PII.

Data location

United States

SOC 2 Type IIGDPR
Upstash Redis

Rate-limit counters and short-lived AI budget caches

Infrastructure

Data processed

Rate-limit keys (IP, userId), AI token budgets, cached responses (no long-term PII).

Data location

Global (regional choice configurable)

SOC 2 Type II
Google (OAuth)

Optional sign-in with Google Workspace and Google Drive personal-account connections

Authentication

Data processed

Authentication tokens, basic profile (name, email). No customer data is shared with Google.

Data location

Global

SOC 2 Type IIISO 27001
Microsoft Entra ID

Optional sign-in with Microsoft 365 / Entra and OneDrive personal-account connections

Authentication

Data processed

Authentication tokens, basic profile (name, email). For OneDrive-connected users: file listing tokens scoped to the consenting user only.

Data location

Global

SOC 2 Type IIISO 27001

Our commitment

We only work with sub-processors that maintain SOC 2 Type II or equivalent certifications. All sub-processors are bound by data processing agreements that ensure your data is protected. Schools are notified 30 days in advance of any changes to this list, as specified in our DPA.

Questions?

Last updated: June 2026 · v1.0 — June 2026