Sub-processors
This is the complete list of sub-processors REM Labs uses to deliver the service. We update it before adding any new processor and notify customers on a signed DPA.
Block A · Sub-processors (8)
This list mirrors /compliance.json. Order is alphabetical. AI vendors (Anthropic, OpenAI) receive embedding-input or synthesis-input only during Dream Engine cycles — per their API terms, data is not used for training and is not retained beyond the immediate request.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| Anthropic, PBC | Optional synthesis model for Dream Engine (Claude). API inputs are not used for training. | US | Anthropic DPA → |
| Cloudflare, Inc. | DDoS protection and DNS for remlabs.ai / remlabs.dev. Does not persist memory content. | Global anycast | Cloudflare DPA → |
| Google LLC | Google Cloud / OAuth 2.0 for console login. Sees your email and a verification token. No memory content is sent to Google. | Global | Google DPA → |
| OpenAI, L.L.C. | Embeddings (text-embedding-3-large) and Dream Engine synthesis. API inputs are not used for training. | US | OpenAI DPA → |
| Railway Corp. | Compute for the API origin and Dream Engine background workers. Processes memory content in memory during request handling. | US-West (us-west-2) | Railway DPA → |
| Stripe, Inc. | Billing and subscription management. Receives only billing email, plan, and usage counts — never memory content. | US / Global | Stripe DPA → |
| Supabase, Inc. | Primary memory database. Postgres + pgvector. Stores memory content, embeddings, FTS indexes, audit logs. | US-East (us-east-1) | Supabase DPA → |
| Vercel, Inc. | Static site hosting, global edge CDN, rewrites to origin API. Does not persist memory content. | Global edge / US-East | Vercel DPA → |
Block A processes data on your behalf as our sub-processors and is the canonical 8 also published in /compliance.json. Transactional email (Postmark / ActiveCampaign) for sign-up, password reset, and security alerts is invoked on a best-effort basis and receives only the destination email address; it is not classified as a sub-processor of personal memory content.
Block B · User-authorized OAuth integrations
These providers are only accessed when you explicitly connect them via OAuth in /context. Each integration is revocable in /account. REM Labs acts only as your delegated reader — see /privacy for full OAuth scopes.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| Google (Gmail / Calendar) | Read-only OAuth to ingest emails and calendar events into your memory. You authorize; you can revoke. | Global | Google DPA → |
| Notion Labs, Inc. | Read-only OAuth to ingest explicitly-shared Notion pages. | US | Notion DPA → |
| GitHub, Inc. | Read-only OAuth for commit/issue/PR ingestion. | US | GitHub DPA → |
| Slack Technologies, LLC | Read-only OAuth for message ingestion in authorized channels. | US | Slack DPA → |
| Microsoft Corporation | Microsoft 365 OAuth (Outlook, Teams, Calendar) for read-only ingestion. | Global | Microsoft DPA → |
Change notification policy
Notice period. Customers on a signed DPA are notified at least 14 days before we add or replace a sub-processor that will process personal data. Enterprise customers on a custom MSA may negotiate a longer window.
Right to object. If you object to a new sub-processor on reasonable data-protection grounds, we will work with you on a mitigation path. If no path exists, either party may terminate the affected portion of the service with pro-rated refund.
Self-hosted customers. Sub-processor changes do not affect self-hosted deployments — your instance only uses the vendors you choose.
Stay notified. Email dev@remlabs.ai to join the sub-processor change notification list.
Need more detail?
Enterprise procurement teams can request signed DPA, SIG Lite, CAIQ v4, and a SOC 2 Type II letter (when available) at dev@remlabs.ai.