Legal/Sub-Processors
Sub-Processors
The third-party services that help us run Ledg, what they do, and where your data lives. Updated whenever the list changes.
On this page
01Summary
Ledg processes Customer Data on its own infrastructure and through the sub-processors listed on this page. We engage each sub-processor under a written agreement that includes data-protection terms commensurate with the data they handle. We review the security posture of every sub-processor with access to Customer Data at least annually.
02Sub-processors with access to your data
Each of the following providers may process Customer Data on Ledg's behalf in the course of providing the Service.
| Vendor | Role | Data categories | Region | Attestations |
|---|---|---|---|---|
| Supabase | Primary database, identity provider, and object storage for receipts. | All Customer Data, including ledger entries, receipts, banking transactions, and account credentials (hashed). | Canada (Central). | SOC 2 Type II, HIPAA, ISO 27001. |
| Vercel | Application runtime, edge delivery, and build pipeline. | Transient request data only. No persistent Customer Data storage. | Global edge; primary regions in Canada and the United States. | SOC 2 Type II, ISO 27001. |
| Stripe | Payment processing, subscription management, invoice issuance. | Customer name, email, billing address, last 4 of card, subscription status, payment history. Card numbers are not stored by Ledg. | Global; primarily United States. | PCI DSS Level 1, SOC 2 Type II, ISO 27001. |
| Plaid | Financial-account data access for bank-feed import (only when you explicitly link an account). | Account metadata, transactions, and balances for the accounts you link. Access tokens are stored server-side and encrypted at rest. | United States and Canada. | SOC 2 Type II, ISO 27001. |
| GitHub | Source-code management, CI / CD pipeline, automated security scanning. | Source code only. No Customer Data. | Global; primarily United States. | SOC 1 / 2 / 3, ISO 27001, FedRAMP Moderate. |
| Cloudflare | DNS, public-edge delivery, and the email-to-receipt ingest worker. | Inbound email-to-receipt forwarding (transient). No persistent Customer Data storage. | Global edge. | SOC 2 Type II, ISO 27001. |
| Google (Gemini API) | Receipt parsing for receipts you forward into Ledg by email, and Ledg AI vendor-name and category cleanup for transactions in Stage. | Receipt content forwarded by you, plus the descriptor and amount of bank transactions you ask Ledg AI to clean up. No bank credentials, account numbers, or personal identifiers are sent. Per Google's API terms, your traffic is not used to train models. | Global; routed by Google. | SOC 1 / 2 / 3, ISO 27001, ISO 27017 / 27018. |
03Operational sub-processors
The following providers support Ledg's operations but do not process Customer Data.
| Vendor | Role | Data categories | Region | Attestations |
|---|---|---|---|---|
| Cloudflare Registrar | Domain registration for ledg.ca. | WHOIS metadata and DNS records. No Customer Data. | Global. | Same as Cloudflare above. |
| Upstash | Distributed rate-limit counters when configured. | IP addresses and counters. No Customer Data. | Global edge. | SOC 2 Type II. |
04How we evaluate sub-processors
Before a vendor is granted access to Customer Data we evaluate:
- The vendor's security posture, evidenced by SOC 2 Type II reports, ISO 27001 certifications, or equivalent third-party attestations.
- The vendor's data-protection commitments, set out in a written Data Processing Agreement or equivalent.
- The vendor's processing locations and any cross-border transfer implications.
- The vendor's history of disclosed Security Incidents.
Our broader security programme is described on the Security page. The data we collect, the legal bases on which we rely, and your rights as a data subject are described in the Privacy Policy.
05Notice of changes
We update this page whenever a sub-processor with access to Customer Data is added, removed, or materially changes its role. Material additions are also announced in our changelog. You can subscribe to the changelog to be notified of updates.
If you object to a new sub-processor handling your Customer Data, contact us within thirty (30) days of the change to discuss your options, which may include exporting your data and ending your subscription.
06Questions
For questions about this list, the agreements behind it, or any aspect of how a particular sub-processor handles your data, write to legal@ledg.ca. Usual reply within two business days.
Questions about this policy?
Email legal@ledg.ca. A human reads every message.