Subprocessors
To deliver the Tellus EHS Platform, we use a small number of trusted third-party service providers ("subprocessors") that process data on our behalf. This page lists the current subprocessors and what each one does.
Subprocessors are contractually obligated to protect Customer Data, use it only for the purposes we specify, and meet security standards consistent with our Privacy Policy and the security obligations described in our Terms of Service. Business customers can find the full processor-level commitments — including breach-notification timing, audit rights, and SCC selections — in our Data Processing Addendum.
Current Subprocessors
| Subprocessor | Purpose | Data Categories | Region |
|---|---|---|---|
| Supabase, Inc. | Authentication and identity (email/password, JWT issuance, session management) | Account credentials, email address, user ID | United States |
| DigitalOcean, LLC | Application hosting and managed PostgreSQL database (primary data store for all Customer Data) | All Customer Data (account info, company data, chemical inventory, plans, training records, audit logs) | United States (SFO3 region) |
| Amazon Web Services, Inc. (AWS S3) | Object storage for documents (SDS PDFs, product images, course content) | Uploaded files (SDS, images, training content) | United States (us-west-2 region) |
| Mailgun Technologies, Inc. | Transactional email delivery (account verification, password reset, invitations, notifications) | Recipient email address, email body content | United States |
| Anthropic, PBC | AI inference for product label/SDS extraction and content generation (Claude API) | Submitted images and text excerpts. Customer Data is sent transiently for inference; no Customer Data is used to train Anthropic's general models. | United States |
| OpenAI, L.L.C. | AI inference for product label/SDS extraction and HazCom plan/course content generation (GPT-4o API) | Submitted images and text excerpts. Customer Data is sent transiently for inference; no Customer Data is used to train OpenAI's general models (per API data-use terms). | United States |
| Perplexity AI, Inc. | Web search for safety data sheets (chemical name → manufacturer SDS lookup) | Chemical names and product identifiers only (no PII) | United States |
| Functional Software, Inc. (Sentry) | Application error monitoring and performance tracing | Error stack traces, request metadata, scrubbed user IDs (PII is filtered before transmission) | United States |
| Cloudflare, Inc. (Turnstile) | Bot protection for public-facing endpoints (Public SDS Portal, contact forms) | Challenge tokens, IP address of the requesting visitor | Global edge network |
| Stripe, Inc. | Subscription billing and payment processing | Billing name, billing email, billing address, subscription/invoice records. Payment card details are entered into Stripe-hosted fields and tokenized — Tellus never receives or stores raw card data. | United States |
Updates to this list
We may add or change subprocessors over time as the Service evolves. When we make a material change:
- We will update this page with the new entry and a new "Last Updated" date.
- For Enterprise customers under a signed Data Processing Addendum (DPA), we will provide notice consistent with the DPA before the change takes effect.
For day-to-day customers, the most current list is always the one published here. Bookmark this page or check it periodically.
Questions
If you have questions about any of these subprocessors — including their security posture, where they store data, or how to obtain their own SOC 2 / ISO 27001 reports — contact us at privacy@tellusehs.com. We're happy to share whatever we can.
For B2B customers requiring a signed Data Processing Addendum (DPA), please contact legal@tellusehs.com.