LegalLast updated · June 2, 2026

Sub-processors

This page lists the third-party service providers ("sub-processors") that Obelisk Studio LLC engages to operate Grace Production OS. Each receives only the personal data necessary to deliver its piece of the service, and each is contractually bound to use that data solely on our instructions.

Per our Privacy Policy and Data Processing Addendum, we provide at least 14 days' advance notice before adding or replacing a sub-processor that processes customer personal data. To receive that notice by email, write to [email protected].

01

Current sub-processors

Effective as of the "Last updated" date above. Each entry names the provider, the function it performs, the categories of data it receives, and the legal entity's principal place of business.

Note on electronic signatures: Grace's e-signature feature runs on software we host ourselves on the infrastructure listed below (Railway, Neon, and Resend). Document content and signer identity are not shared with the software's maker or any other third party — they are processed only within our own systems.

Clerk, Inc. (United States)
Authentication, sign-in, session management, and multi-factor enrollment. Receives account email, name, password hash, and (if enabled) MFA factors.
Stripe, Inc. (United States)
Subscription billing and payment processing. Receives billing email, payment-method details (collected by Stripe directly, never by Obelisk Studio), tax/billing address, and the metadata Stripe needs to render invoices.
Resend, Inc. (United States)
Outbound email delivery (call sheets, production invitations, vault shares, verification codes, transactional notifications, and electronic-signature requests, reminders, and completed-document notifications). Receives recipient addresses and email body content.
Cloudflare, Inc. (United States)
(a) Object storage via Cloudflare R2 for scripts, photos, screeners, dailies, and call-sheet PDFs (files encrypted at rest with AES-256). (b) DNS, network edge, marketing-site CDN, and bot/DDoS mitigation. Receives standard request metadata (IP, user agent, URL path) in the edge role; receives uploaded file contents in the R2 role.
Neon, Inc. (United States)
Managed PostgreSQL hosting for the Grace application database, with point-in-time recovery snapshots, plus a separate database for our self-hosted electronic-signature service. Receives all structured application data described in the Privacy Policy, plus signing records and audit logs for documents sent for e-signature.
Railway Corp. (United States)
Application hosting and compute for the Grace web/server tier and for our self-hosted electronic-signature service. Receives all data passing through those servers in the course of request handling.
Sentry, by Functional Software, Inc. (United States)
Error monitoring and diagnostics. Receives error messages and stack traces, the page or route where an error occurred (with sensitive tokens and query parameters redacted), browser/device/OS type, and a pseudonymous account identifier. Does not receive names, email addresses, or production content.
PostHog, Inc. (United States)
Product analytics, used to understand which features are adopted and where users get stuck. Receives a fixed set of explicit events — page views (recording the in-app route visited, with sensitive tokens and query parameters redacted from the path), how long a screen was open, and lifecycle actions such as sign-up, production created, and call sheet sent — carrying non-identifying counts and category labels, a pseudonymous account identifier, and pseudonymous organization and production identifiers together with a few non-identifying group attributes (the organization's subscription plan, and the production's union status, shoot-day count, and status). Sets a first-party cookie and a browser local-storage value to hold the pseudonymous identifier; events are routed through a same-origin reverse proxy. Session replay, autocapture, and heatmaps are disabled. Does not receive names, email addresses, script text, budgets, or other production content, and is not used to train any models.
Amazon Web Services, Inc. (United States)
Primary AI processing via Amazon Bedrock — script breakdown extraction, the Grace AI assistant panel, and VFX-shot suggestions (Anthropic Claude and related models, hosted within AWS in region us-east-1). Receives script text or PDF and the production data needed to answer a given request. Amazon Bedrock does not store prompts or completions, does not use them to train any models, and does not share them with the underlying model providers.
Anthropic, PBC (United States)
Failover AI processing (Claude, direct API), used only if Amazon Bedrock is unavailable. Receives script text or PDF and request context only while the failover is active. Anthropic's paid API tier does not retain user-API data beyond standard operational logs and does not use it for model training.
Google LLC (United States)
(a) Secondary fallback AI processing via Google Cloud Vertex AI (Gemini) when the primary model is unavailable; Google AI Studio serves the same role during the direct-API failover. (b) Address geocoding and nearest-hospital lookups via the Google Maps Platform Geocoding API and Places API. Receives script text / production data (Vertex AI) or an address string / coordinates (Maps Platform). Vertex AI is governed by the Google Cloud Data Processing Addendum; neither service uses paid-tier content to train Google's general models.
Open-Meteo GmbH (Germany)
Weather data for shoot-day forecasts on call sheets. Receives latitude/longitude only, no production identity.
OpenStreetMap Foundation, United Kingdom (Nominatim hosted service)
City-level coordinates lookup for weather forecasts on call sheets. Receives the city string only, no production identity.
Thy Dark Hour Systems (OPC) Pvt Ltd, India
Software development, technical operations, and customer-support engineering for Grace. Personnel acting under TDH's engagement may access the production database for engineering and support purposes. Subject to confidentiality and data-protection obligations to Obelisk Studio LLC and to the international-transfer safeguards described in the Privacy Policy.
02

How to receive change notifications

Email [email protected] with the subject "Sub-processor notifications" and we will add your address to the notification list. Notifications go out at least 14 days before any added or replaced sub-processor begins processing customer personal data. If a security incident at a sub-processor requires immediate substitution, we will notify the list as quickly as reasonably possible and follow up with the post-incident review.

03

Audit history

The list above is the current state. We do not yet publish a historical changelog of past sub-processor changes; if you need that history for a vendor-risk review, email [email protected] and we will provide it for the period of your engagement.

Privacy contact

For questions about any sub-processor on this list, to object to a planned change, or to subscribe to change notifications, contact the Obelisk Studio Privacy Lead.

[email protected]