Legal
Subprocessors
A subprocessor is a third-party service we use to deliver GoBrief. Each one has its own terms and privacy posture; every one on this list has signed SCCs (or equivalent) for EU data transfers.
Pre-incorporation notice. GoBrief is currently operated by Brian Kaplan as a sole proprietor in Nashville, Tennessee, United States, pending formation of GoBrief LLC (a Tennessee limited liability company). On LLC formation, the entity becomes the successor-in-interest and operator under these documents. These policies have been reviewed internally against standard SaaS and privacy patterns and will receive outside-counsel review before customer-paid engagements scale. Any material updates will be versioned here and emailed to active customers 30 days in advance.
Current subprocessors
| Provider | Purpose | Data handled | Location |
|---|---|---|---|
| Cloudflare, Inc. Policy | Application hosting (Workers), database (D1), object storage (R2), DNS, CDN, Workers AI (Whisper transcription), KV (rate limits), email relay. | Everything: accounts, workspaces, uploads, audit logs, backups. | Global edge (US-headquartered; SCCs on file) |
| Stripe, Inc. Policy | Subscription billing, invoicing, customer portal, webhooks. | Name, email, billing address, card last-4 (we never see full PAN), plan + status. | US / Ireland |
| Resend, Inc. Policy | Transactional email delivery: magic-link sign-in, team invites, nudges, delivery notifications. | Recipient email + message body + subject. | US |
| Anthropic, PBC Policy | AI analysis of image and PDF uploads (Claude Sonnet 4.6 via API). Zero training on inputs; max 30-day retention for abuse monitoring. | Uploaded image or PDF content (temporarily) + our analysis prompt + the returned analysis. | US |
| Google LLC Policy | OAuth 2.0 sign-in (only when you choose “Continue with Google”). | Email + profile basics returned on authentication. Google sees no workspace data; they only confirm identity. | US / global |
| Google LLC (Analytics) Policy | Google Analytics 4: aggregate site-usage measurement (page views, traffic sources). | Device/browser metadata and page-view events via the _ga cookies. No advertising features enabled. Google Analytics never sees workspace contents, files, or partner uploads. Opt-out covered in our Cookie Policy. | US / global |
Due diligence + data processing agreements
Before engaging any subprocessor, we conduct due diligence on their security posture, data-protection practices, and subprocessor-of-subprocessor (“sub-sub”) chain. We enter into a written data processing agreement with each subprocessor that imposes data-protection obligations substantially similar to those in our own DPA, including GDPR Art. 28 processor obligations where applicable and the EU Standard Contractual Clauses (Module Two or Module Three) for international transfers. We remain fully liable to our customers for each subprocessor's performance of its data-protection obligations.
Notification policy
We'll notify workspace owners by email at least 30 days before adding or replacing a subprocessor that handles personal data in workspace content or account records. Non-material changes (upgrading within the same provider, changing a provider's region) don't require notice but will be reflected here.
Object to a subprocessor
Customers may object to a new or replacement subprocessor in writing to legal@gobrief.co within 30 days of notice, stating the reasonable data-protection grounds for the objection. Within 15 business days of receiving an objection, we will respond with one of:
- a documented mitigation that addresses the concern (additional contractual or technical controls);
- withdrawal of the proposed subprocessor change; or
- confirmation that we intend to proceed with the change.
If we confirm we intend to proceed and the objection is not resolved, you may terminate the affected portion of the service without penalty. Any pre-paid fees allocable to the terminated service for the unused portion of the then-current paid term will be refunded on a pro-rata basis (calculated as pre-paid fees × remaining days in term ÷ total days in term).
Questions? Reach us at legal@gobrief.co for legal, privacy@gobrief.co for data questions, security@gobrief.co for vulnerability disclosure.