Subprocessors
Last updated April 19, 2026
A subprocessor is a third party engaged by Enso Insights to process Customer Personal Data on our behalf. We disclose every subprocessor here and notify customers in advance of any change.
This page lists the third-party providers (“Subprocessors”) that Enso Insights uses to provide the Services. Each Subprocessor’s processing of Customer Personal Data is governed by that provider’s terms of service, privacy commitments, and any applicable data processing addendum, which collectively establish data-protection obligations consistent with those described in our Data Processing Agreement. We select each Subprocessor based on its published security and privacy posture, including its public attestations (e.g., SOC 2 / ISO 27001) where available, and review that posture on a periodic, risk-based basis. The “Attestations” column below identifies each provider’s publicly published certifications and program participations, not bilateral contracts between Enso Insights and the provider.
Current subprocessor list
The following Subprocessors may process Customer Personal Data as part of providing the Services. The list is organized by function. All Subprocessors are based in the United States and process data in U.S. regions unless otherwise noted; international transfers are governed by the SCCs / UK Addendum incorporated into our DPA.
Infrastructure providers
| Subprocessor | Purpose | Location | Data processed | Attestations |
|---|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database, authentication (passwordless OTP), and row-level security. | United States (US-West) | Account information, audit inputs, audit outputs, session tokens. | SOC 2 Type II (per provider’s public attestation) |
| Vercel, Inc. | Application hosting on a globally distributed edge network. | Global edge (data primarily in United States) | Request metadata and IP address (request-time only). | SOC 2 Type II, ISO 27001 (per provider’s public attestations) |
AI engines
The following providers run the large-language-model inference that powers our scoring engine. Each provider is used through its applicable enterprise / API data-handling commitments which, depending on the provider and tier and as further described in the per-row entries below, prohibit the upstream provider from using prompts and completions to train its models and limit retention to what the provider deems necessary to provide and secure the service. Specific commitments are governed by each provider’s published API terms and any data processing addendum we have on file.
| Subprocessor | Purpose | Location | Data processed | Attestations |
|---|---|---|---|---|
| OpenAI OpCo, LLC | GPT-class model scoring of audit prompts. | United States | Audit prompts (brand names, competitor names, market context). | SOC 2 Type II; zero-retention API tier (per provider’s published API terms) |
| Google LLC (Vertex AI) | Gemini 2.5 Pro model scoring of audit prompts. | United States (US-Central) | Audit prompts (brand names, competitor names, market context). | SOC 2 Type II, ISO 27001; non-training API tier (per provider’s published API terms) |
| Brave Software, Inc. | Web search results used to ground LLM responses on current public information (Brave Search API). | United States | Search queries derived from audit prompts. | Per provider’s published privacy and API terms |
Operational tools
| Subprocessor | Purpose | Location | Data processed | Attestations |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing for paid plans (when applicable). | United States | Billing contact, masked payment-method identifier (Enso does not store full card numbers). | PCI-DSS Level 1, SOC 2 Type II (per provider’s public attestations) |
Subscribe to subprocessor change notifications
We notify customers at least 30 days in advance of any addition or replacement of a Subprocessor by updating this page and by emailing customers who have subscribed to change notifications. To subscribe, email legal@ensoinsights.us with the subject “Subscribe to subprocessor updates.”
Objection rights
Customers on a paid plan may object to the addition of a new Subprocessor on reasonable grounds that the appointment will result in a material violation of Data Protection Law, by emailing legal@ensoinsights.us within 30 days of notification. We will work in good faith to address the objection. If we choose to retain the new Subprocessor, either party may terminate the relevant parts of the Services and we will refund any pre-paid, unused fees attributable to the terminated portion of the term, as set forth in Section 6.3 of the Data Processing Agreement.
Change history
- April 19, 2026 — Editorial clarifications.Updated the AI Engines section header paragraph to more precisely describe each provider’s per-tier data-handling commitments (no-training, limited retention) by reference to the per-row entries and each provider’s published API terms. Subprocessor list itself unchanged.
- April 18, 2026 — Initial publication. Subprocessors as listed above.
Going forward, every change to this list (additions, removals, region changes) will be logged here with the effective date.
Other legal documents
Entity information. “Enso Insights” is a registered trade name of Enso Labs LLC, a Texas limited liability company. All references to “Enso Insights,” “we,” “our,” or “us” in this document mean Enso Labs LLC operating under that trade name.