Status: DRAFT — pending legal review and verification against the DPA's Bilag B (the authoritative version lives in the OneDrive DPA template, Bilag B – Betingelser for bruk av Underdatabehandl... .html).
Last updated: 20 May 2026
This page lists the third-party providers ("subprocessors") that Lectora uses to operate the service. Each is bound by a written Data Processing Agreement (DPA) with appropriate safeguards.
Institutions on enterprise contracts: the binding subprocessor schedule is the DPA's Bilag B. This page is a public-facing summary kept consistent with that annex.
We notify institutional customers at least [REVIEW — typical 14-30] days in advance of any change to this list (addition or replacement of a subprocessor). Individual (PAT-mode) users are notified via in-app banner and the "Last updated" date on this page.
Infrastructure
| Provider | Role | Region | DPA / Privacy link |
|---|---|---|---|
| Vercel, Inc. | Application hosting (Next.js, serverless functions, edge middleware) | EU — Frankfurt (eu-central-1) | vercel.com/legal/dpa · security.vercel.com |
| Vercel Blob (Vercel, Inc.) | Object storage for uploaded files (course files, student submissions, AI context files) | EU — Stockholm (eu-north-1 / ARN1) | Same as Vercel above |
| Supabase Inc. | Primary PostgreSQL database (managed) | EU — Frankfurt (AWS eu-central-1) | supabase.com/legal/dpa · supabase.com/legal/subprocessors |
AI inference
| Provider | Role | Region | DPA / Privacy link |
|---|---|---|---|
| OpenAI Ireland Ltd. | Primary AI inference for grading, feedback drafting, teacher assistant. Zero data retention; no training on customer data. | EU (Europe region) | openai.com/policies/data-processing-addendum · EU data residency |
| Google Cloud EMEA Ltd. (Vertex AI / Gemini) | Alternate AI inference for selected workflows. No training on customer data; zero data retention. | EU — europe-west4 (Netherlands) | cloud.google.com/terms/data-processing-addendum |
Important: Lectora does not send direct personal identifiers (student name, email, student ID) to AI providers. AI prompts use only internal pseudonymous identifiers; results are linked back to students within Lectora's own systems. Free-text submission content sent to AI providers may incidentally contain such information; the providers' contractual zero-retention and no-training commitments apply.
Operational services
| Provider | Role | Region | DPA / Privacy link |
|---|---|---|---|
| Inngest, Inc. | Background-job orchestration (durable execution for batch grading). Receives only internal job identifiers — no submission content or direct personal data. | USA — covered by EU SCCs | inngest.com/security |
| Plus Five Five, Inc. (Resend) | Transactional email delivery (account, security, billing notifications) | USA — covered by EU SCCs (Decision 2021/914) per Resend DPA | resend.com/legal/dpa · resend.com/legal/subprocessors |
| Statsig, Inc. | Feature flags, pseudonymous usage analytics, error and performance monitoring (via Vercel Log Drain + Trace Drain) | USA — covered by EU SCCs per Statsig DPA | statsig.com/legal/online-dpa · statsig.com/legal/subprocessors |
Billing (institutional customers only)
| Provider | Role | Region | DPA / Privacy link |
|---|---|---|---|
| Stripe Payments Europe Ltd. / Stripe, Inc. | Subscription billing, invoicing, payment processing. PCI DSS Level 1 certified; Lectora does not store card data. | EU/global — covered by Stripe DPA + EU SCCs | stripe.com/legal/dpa · stripe.com/legal/service-providers |
International transfers
Lectora's customer-content processing is kept within the EU/EEA wherever possible:
- Application hosting, database, file storage, AI inference — all EU regions
- Email (Resend), analytics (Statsig), background-job orchestration (Inngest) — USA with EU Standard Contractual Clauses (SCCs) per Commission Decision 2021/914
For each US-based subprocessor we have:
- A signed DPA incorporating the EU SCCs
- A Transfer Impact Assessment on file
- Supplementary technical measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), and contractual restrictions on data use
Inngest, in particular, receives no submission content — only internal job identifiers — which substantially reduces the transfer risk.
What's NOT on this list
Packages or libraries that do not process personal data on behalf of Lectora — for example open-source code dependencies — are not subprocessors and are not listed here. Components that appear in Lectora's repository but are not active in production (e.g. unused AI provider SDKs) are also not subprocessors.
Notification of changes
Subprocessor changes are governed by:
- Institutional customers: the notification clause in your DPA (
[REVIEW — confirm against Bilag B clause]) - Individual (PAT) users: in-app banner + updated "Last updated" date on this page
If you object to a new subprocessor and we cannot accommodate the objection through alternative arrangements, the affected customer may terminate the relevant subscription per the termination clauses of the DPA or Terms of Service.
Contact
For questions about subprocessors or international transfers: lectora@fjordbyte.no