Subprocessors
Last updated: 2026-05-27
Achieve IT uses the third-party providers listed below to help deliver the Ultimate Email Management System. We maintain this page so our customers can see exactly who we rely on and what they do with customer data.
Changes to this list: we will notify customers at least 30 days before engaging a new subprocessor, and you can object per our Data Processing Addendum §6.3.
Core infrastructure
| Subprocessor | What they do for us | Where processing happens | Their security/privacy page |
|---|---|---|---|
| Railway Corp. | Application hosting (web app, API, workers), managed Postgres database, managed Redis | United States | railway.com/security |
| Cloudflare, Inc. | Object storage (R2) for knowledge-base documents, audit log archive, and backups; DNS and edge networking | Global, primarily United States; cross-region replication enabled | cloudflare.com/trust-hub · SOC 2 Type II, ISO 27001 |
| Amazon Web Services, Inc. | Key management service (AWS KMS); holds the master encryption key that protects customer credentials | United States | aws.amazon.com/compliance · SOC 2, FedRAMP, ISO 27001 |
Identity and authentication
| Subprocessor | What they do for us | Where processing happens | Their security/privacy page |
|---|---|---|---|
| Clerk, Inc. | User authentication, multi-factor authentication, session management for the client and admin portals | United States | clerk.com/legal/privacy · SOC 2 Type II |
AI model provider
| Subprocessor | What they do for us | Where processing happens | Training policy | Their terms |
|---|---|---|---|---|
| MiniMax (standard tier, default) | Large language model inference for draft generation, classification, and safety review | United States and global edge | May use submitted content as training data per provider terms | minimaxi.com |
On the standard service tier (Starter, Growth, Scale), customer content sent to MiniMax for inference may be used by MiniMax to train its own models per the provider's published terms. Achieve IT does not control that policy.
If a contractual no-training guarantee is required, Achieve IT offers a no-training AI tier that routes inference to an alternate provider (e.g., a self-hosted or zero-retention API endpoint) under a written addendum. Pricing is custom; contact [email protected].
Payments and financial
| Subprocessor | What they do for us | Where processing happens | Their security/privacy page |
|---|---|---|---|
| Stripe, Inc. | Payment processing (cards, invoices) | United States and Canada | stripe.com/privacy · PCI-DSS Level 1, SOC 2 Type II |
Other operational
| Subprocessor | What they do for us | Where processing happens | Their security/privacy page |
|---|---|---|---|
| Calendly, LLC | Meeting scheduling (call bookings on our marketing page and from the client portal) | United States | calendly.com/privacy |
Data each subprocessor can access
For transparency, here is what each subprocessor can see. No subprocessor has access to the full picture; each sees only what it needs for its function.
| Subprocessor | Email content | Customer credentials | Knowledge base | Account metadata | Payment details |
|---|---|---|---|---|---|
| Railway | Yes (encrypted at rest in database) | Yes (encrypted at rest) | Yes (encrypted at rest) | Yes | No |
| Cloudflare R2 | No (only KB files + backup archive) | No | Yes (raw files) | No | No |
| AWS KMS | No | Key only: decrypts data keys, never sees raw credentials | No | No | No |
| Clerk | No | No | No | Authentication details, MFA | No |
| MiniMax (standard tier) | Yes (email bodies sent for inference; may be used by MiniMax for training) | No | Yes (KB chunks sent for embedding/retrieval) | No | No |
| Stripe | No | No | No | Billing contact | Card details (Stripe holds these; we don't) |
| Calendly | No | No | No | Name and email when booking a call | No |
Not subprocessors (for clarity)
Some services are NOT subprocessors under this framework because they don't process personal data on our behalf:
- GitHub: where we host our code. Customer data does not live in GitHub.
- Google Workspace: our own internal email and docs. Our business operations, not customer data processing.
- Linear: our own internal project management.
These are vendors to Achieve IT and are not listed as subprocessors because they do not process customer personal information.
Historical subprocessor changes
We log every addition, removal, or material change to this list so customers have an auditable history.
| Date | Change | Notes |
|---|---|---|
| 2026-05-01 | Initial publication | Launch version |
(This table will grow over time as we add or swap subprocessors.)
Questions
- General privacy questions: [email protected]
- Data-processing / DPA questions: [email protected]
- Security researcher disclosures: [email protected]