{
  "version": "1.0.0",
  "last_updated": "2026-04-13",
  "operator": "STEADYWRK LLC",
  "headquarters": {
    "city": "Aqaba",
    "zone": "ASEZ (Aqaba Special Economic Zone)",
    "country": "Jordan",
    "data_residency_note": "Primary operations HQ. Corporate shield via Nexfix LLC (Boulder, CO, USA EIN 99-4072624). Production data residency is determined per-subprocessor below, not by HQ location."
  },
  "subprocessors": [
    {
      "name": "Neon",
      "role": "primary-database",
      "data_processed": "applicants, employees, jobs, dispatch work orders, contacts, ledger, webhooks payloads",
      "region": "US-East (AWS us-east-2)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://neon.tech/legal/dpa",
      "notes": "Drizzle ORM singleton wraps Neon HTTP driver; pool connections via @neondatabase/serverless"
    },
    {
      "name": "Clerk",
      "role": "authentication",
      "data_processed": "user accounts, sessions, passwordless email, OAuth identity, RBAC publicMetadata",
      "region": "US (AWS multi-region)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://clerk.com/legal/dpa",
      "notes": "pk_live_ keys in production; webhook ingress verified via svix"
    },
    {
      "name": "Upstash",
      "role": "cache-and-rate-limit",
      "data_processed": "rate-limit counters (fingerprint hashes), short-lived session cache",
      "region": "Global (Cloudflare edge)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://upstash.com/trust",
      "notes": "Redis; no PII stored; TTL ≤1h"
    },
    {
      "name": "Sentry",
      "role": "error-monitoring",
      "data_processed": "stack traces, release tags, user IDs (scrubbed), breadcrumbs",
      "region": "US (sentry.io)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://sentry.io/legal/dpa/",
      "notes": "Integrated via withSentryConfig; PII scrubbing enabled; release tracking pending SENTRY_AUTH_TOKEN"
    },
    {
      "name": "PostHog",
      "role": "product-analytics",
      "data_processed": "anonymized user events, funnel metrics, drop-off tracking",
      "region": "US Cloud (posthog.com)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://posthog.com/dpa",
      "notes": "No raw PII; event properties stripped of credentials; 13-month retention"
    },
    {
      "name": "Arcjet",
      "role": "bot-shield-and-waf",
      "data_processed": "request fingerprints, IP addresses, UA headers (transient)",
      "region": "Global edge",
      "soc2": "in-progress",
      "dpa_url": "https://arcjet.com/legal/dpa",
      "notes": "Edge bot detection + rate-limit layer in front of /api/*"
    },
    {
      "name": "Dots",
      "role": "contractor-payments",
      "data_processed": "contractor KYC, payout instructions, transaction history",
      "region": "US (dots.dev)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://dots.dev/legal/dpa",
      "notes": "300+ payment rails (ACH, wire, PayPal, Venmo, crypto); activation blocked on phone 2FA"
    },
    {
      "name": "Resend",
      "role": "transactional-email",
      "data_processed": "recipient email addresses, email body content, delivery events",
      "region": "US (AWS us-east-1)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://resend.com/legal/dpa",
      "notes": "React Email templates; bounce + complaint handling"
    },
    {
      "name": "Cloudflare",
      "role": "edge-network-and-dns",
      "data_processed": "DNS records, TLS certificates, edge cache, WAF metadata",
      "region": "Global (280+ PoPs)",
      "soc2": "SOC 2 Type II + ISO 27001",
      "dpa_url": "https://www.cloudflare.com/cloudflare-customer-dpa/",
      "notes": "Domain registrar (planned: steadywrk.com); DNS for all steadywrk.* domains"
    },
    {
      "name": "Railway",
      "role": "application-hosting",
      "data_processed": "application runtime, deployment artifacts, environment variables",
      "region": "US + EU edge (GCP underneath)",
      "soc2": "SOC 2 Type II",
      "dpa_url": "https://railway.com/legal/dpa",
      "notes": "Auto-deploy from karimalsalah/steadywrk main; only apps/web deploys"
    },
    {
      "name": "GitHub",
      "role": "source-code-hosting",
      "data_processed": "source code, PR metadata, CI workflow runs",
      "region": "US (Azure underneath)",
      "soc2": "SOC 2 Type II + ISO 27001",
      "dpa_url": "https://github.com/customer-terms/github-data-protection-agreement",
      "notes": "Private repository; CODEOWNERS enforced; Dependabot weekly"
    }
  ],
  "out_of_scope": {
    "note": "The following are first-party STEADYWRK systems, not subprocessors:",
    "systems": [
      "steadywrk.app, steadywrk.dev, steadywrk.world, steadywrk.org (all STEADYWRK-operated)",
      "MAESTRO brain API (/api/brain/*) — first-party agent orchestration",
      "Dispatch Engine (/api/dispatch/*) — first-party dispatch control plane"
    ]
  }
}