Sub-Processors
DRAFT for Legal Review. Last revised 2026-05-20.
This page lists the third-party service providers (the “Sub-processors”) that Backoffice.co, Inc. (“Backoffice”) uses to provide the software-as-a-service product offered at [DRAFT NOTE → Marketing/Legal: insert final product name] (the “Service”). It supplements and is incorporated into the Privacy Policy for the Service.
We update this list when we add or remove a Sub-processor. Material additions will be notified to customers at least 30 days in advance via email to the account-administrator address. Customers may object to a new Sub-processor by email to privacy@backoffice.co within that 30-day window; see the Privacy Policy for the consequences of a sustained objection.
How to read this list
- Category — what role the Sub-processor plays.
- Sub-processor — the legal entity. Where we use a brand name, the underlying legal entity is given in parentheses.
- Purpose — what we use them for.
- Customer Data categories — what categories of Customer Data the Sub-processor processes on our behalf. “Production telemetry only” means the Sub-processor receives operational data (event names, error stack traces, metrics) but no Customer Data ingested from Connected Accounts.
- Processing location — where the Sub-processor’s facilities that process the data are physically located.
Infrastructure
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Cloud infrastructure | Amazon Web Services, Inc. | Compute (ECS/Fargate), storage (Aurora Postgres, S3), networking, secrets management (Secrets Manager, SSM), monitoring (CloudWatch), object storage for uploaded receipts | All Customer Data | U.S. (us-east-1 and other U.S. regions) |
| AI / ML inference | Amazon Web Services, Inc. (via Amazon Bedrock) | Foundation-model inference for transaction categorization and embedding generation. Underlying foundation models include Anthropic’s Claude family and Amazon’s Titan family. AWS Bedrock does not use our inputs or outputs to train its or third-party models. | Transaction descriptions, merchant names, amount buckets, chart-of-accounts identifiers, prior-categorization examples (per § 5 of the Privacy Policy) | U.S. (us-east-1) |
| Object storage (receipts) | Amazon Web Services, Inc. (via Amazon S3) | Storage of receipt images and supporting documents Customer uploads | Uploaded files; transaction identifiers | U.S. |
| Message broker | Amazon Web Services, Inc. (via Amazon MQ for RabbitMQ) | Internal task queueing between backend and AI services | Job identifiers and references to Customer Data records (not Customer Data itself in queue payloads) | U.S. |
| In-memory cache and queue backend | Amazon Web Services, Inc. (via Amazon ElastiCache for Redis) | Caching, Celery result backend, rate-limiting | Transient identifiers; cached responses with short TTL | U.S. |
[DRAFT NOTE → Legal: confirm the broker is Amazon MQ for RabbitMQ in production. The repo uses RabbitMQ in docker-compose; production hosting is configured via platform/ Terraform. Have engineering verify.]
Identity
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Identity provider | Okta, Inc. (via Auth0) | Authentication of Authorized Users, password management, MFA, social login (where enabled). Auth0 is the source of truth for Authorized User identities. | Authorized User email, name, optional phone, Auth0 subject identifier, authentication metadata | U.S. (Auth0 PROD tenant region: U.S.) |
[DRAFT NOTE → Legal: confirm production Auth0 tenant region — staging is finally-labs.us.auth0.com per docs/auth0-configuration.md. Production tenant separation is deferred per spec.]
Data Connectivity
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Bank connectivity | Plaid, Inc. | Bank-account linking via Plaid Link, ongoing transaction sync, balance retrieval, institution metadata. Customer enters bank credentials directly into Plaid; Backoffice does not see or store bank credentials. | Bank-account metadata, balances, transactions (per § 2.3(a) of the Privacy Policy) | U.S. |
| Accounting-system connectivity | Intuit Inc. (QuickBooks Online) | OAuth-authorized read (and, where Customer enables, write) of QuickBooks Online accounting records | Chart of accounts, vendors, customers, items, classes, departments, employees, bills, invoices, payments, journal entries, and other QBO entity records (per § 2.3(b) of the Privacy Policy) | U.S. |
Billing
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Payment processing | Stripe, Inc. | Subscription billing, payment-method collection via Stripe-hosted Checkout, Stripe Customer Portal for self-service subscription management. Stripe collects payment-card data directly; Backoffice does not store full card numbers or CVVs. | Customer business name and email; subscription metadata; payment-method type, brand, last four digits, expiry (for display) | U.S. (Stripe’s primary region) |
Analytics, Monitoring, Telemetry
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Product analytics | PostHog, Inc. | First-party product analytics: event names and non-sensitive properties, feature-flag delivery. Sensitive identifiers (EIN, full address, phone) are not sent to PostHog. Authorized User email may be sent via identify for cohort analysis. | Authorized User identifier, Tenant identifier, event names and non-sensitive properties | U.S. (cloud region configurable; production region: U.S.) |
| Error monitoring | Functional Software, Inc. d/b/a Sentry | Capture and triage of unhandled exceptions; performance traces. Authentication tokens, JWTs, cookies, session identifiers, payment-card identifiers, and OAuth secrets are scrubbed before transmission, consistent with § 6.1 of the Privacy Policy. | Stack traces, request identifiers, OS/browser metadata | U.S. |
| LLM observability | (none at present) | The current Service does not transmit data to a third-party LLM-observability provider (e.g., LangSmith, Helicone, Langfuse). | — | — |
[DRAFT NOTE → Engineering: confirm whether LangSmith is enabled in production. The ai-platform spec says Bedrock-only, but as production matures we may add LangSmith. If we do, this row needs to populate.]
De-identified Analytics (Internal)
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Data warehouse | Snowflake Inc. | Storage and analysis of de-identified or aggregated bookkeeping signals used to improve classification accuracy (per § 5.4 of the Privacy Policy). Backoffice does not store identifiable Customer Data in Snowflake for this Service. | De-identified vendor-to-category mappings and similar aggregated statistics | U.S. |
Communications
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Transactional and marketing email | [DRAFT NOTE → Legal/Engineering: insert email provider used for transactional and marketing email — likely SendGrid, Postmark, Customer.io, or similar. Confirm.] | Transactional emails (security notices, billing receipts, password resets), and marketing emails to Authorized Users who have opted in | Authorized User email and name; communication content | U.S. |
| SMS | Twilio Inc. (via Intercom) | SMS opt-in messages for transactional notifications, security/account alerts, onboarding, and customer-support communications where the customer has provided a phone number and opted in. | Phone number (E.164); SMS content | U.S. |
| In-product / website chat | Intercom, Inc. | Customer-support chat surface; help articles; in-product messaging | Authorized User identifier, email, name; chat content; events about Authorized User in-product behavior | U.S. (Intercom default region) |
[DRAFT NOTE → Legal/Engineering: confirm the transactional email provider. Also confirm whether the Service uses Intercom directly or only inherits the Backoffice site’s Intercom presence.]
Customer Support
| Category | Sub-processor | Purpose | Customer Data categories | Processing location |
|---|---|---|---|---|
| Customer-support ticketing | [DRAFT NOTE → Legal/Engineering: insert support ticketing system if separate from Intercom — e.g., Zendesk, Help Scout, Linear. If none, remove this row.] | Ticket management, knowledge base | Authorized User identifier and email; ticket content (which may contain Customer Data the Authorized User chooses to share when raising a support ticket) | U.S. |
Affiliates of Backoffice
The following affiliated entities may process Personal Information on behalf of Backoffice.co, Inc. for the purposes described in the Privacy Policy:
[DRAFT NOTE → Legal: list Backoffice.co, Inc. affiliates (including the Finally d/b/a, if relevant) as appropriate. If there are no relevant affiliates, this section can be removed or replaced with a sentence that says so.]
Change log
| Date | Change |
|---|---|
| 2026-05-20 | Initial draft for legal review. |
Backoffice.co, Inc. privacy@backoffice.co