Sub-processors
This is the complete list of sub-processors REM Labs uses to deliver the service. We update it before adding any new processor and notify customers on a signed DPA.
Infrastructure
These processors touch memory content and personal data during normal operation.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| Vercel, Inc. | Static site hosting, global edge CDN, rewrites to origin API. Does not persist memory content. | Global edge / US-East | Vercel DPA → |
| Supabase, Inc. | Primary memory database. Postgres + pgvector. Stores memory content, embeddings, FTS indexes, audit logs. | US-East (us-east-1) | Supabase DPA → |
| Railway Corp. | Compute for the API origin and Dream Engine background workers. Processes memory content in memory during request handling. | US-West (us-west-2) | Railway DPA → |
| Cloudflare, Inc. | DDoS protection and DNS for remlabs.ai. Does not persist memory content. | Global anycast | Cloudflare DPA → |
AI / embedding vendors
These vendors receive embedding-input or synthesis-input during Dream Engine cycles. Per their API terms, data is not used for training and is not retained beyond the immediate request.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| OpenAI, L.L.C. | Embeddings (text-embedding-3-large) and Dream Engine synthesis. API inputs are not used for training. | US | OpenAI DPA → |
| Anthropic, PBC | Optional synthesis model for Dream Engine (Claude). API inputs are not used for training. | US | Anthropic DPA → |
Identity & billing
These vendors handle identity and payment metadata. They do not receive memory content.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| Google LLC (OAuth) | Google OAuth 2.0 for console login. Google sees your email and a verification token. No memory content is sent to Google. | Global | Google DPA → |
| Stripe, Inc. | Billing and subscription management. Receives only billing email, plan, and usage counts — never memory content. | US / Global | Stripe DPA → |
| Postmark (ActiveCampaign) | Transactional email (sign-up, password reset, security alerts). Receives destination email only. | US | Postmark DPA → |
Optional integrations
These providers are only accessed when you explicitly connect them via OAuth in your account. Each integration is revocable from Account Settings. REM Labs acts only as your delegated reader — see /privacy for full OAuth scopes.
| Name | Purpose | Location | DPA |
|---|---|---|---|
| Google (Gmail / Calendar) | Read-only OAuth to ingest emails and calendar events into your memory. You authorize; you can revoke. | Global | Google DPA → |
| Notion Labs, Inc. | Read-only OAuth to ingest explicitly-shared Notion pages. | US | Notion DPA → |
| GitHub, Inc. | Read-only OAuth for commit/issue/PR ingestion. | US | GitHub DPA → |
| Slack Technologies, LLC | Read-only OAuth for message ingestion in authorized channels. | US | Slack DPA → |
| Microsoft Corporation | Microsoft 365 OAuth (Outlook, Teams, Calendar) for read-only ingestion. | Global | Microsoft DPA → |
Change notification policy
Notice period. Customers on a signed DPA are notified at least 14 days before we add or replace a sub-processor that will process personal data. Enterprise customers on a custom MSA may negotiate a longer window.
Right to object. If you object to a new sub-processor on reasonable data-protection grounds, we will work with you on a mitigation path. If no path exists, either party may terminate the affected portion of the service with pro-rated refund.
Self-hosted customers. Sub-processor changes do not affect self-hosted deployments — your instance only uses the vendors you choose.
Stay notified. Email legal@remlabs.ai to join the sub-processor change notification list.
Need more detail?
Enterprise procurement teams can request signed DPA, SIG Lite, CAIQ v4, and a SOC 2 Type II letter (when available) at legal@remlabs.ai.