Sub-processors

LEXAI uses third-party services to deliver parts of the platform (database, AI, payments, email, messaging, observability). UAE PDPL Art. 6 requires us to disclose every external processor that handles your personal data, the purpose, and the data residency. This page is the canonical list. We update it whenever a new sub-processor is added or an existing one rotates infrastructure.

Last reviewed: 2026-05-17

Role: Database hosting (Postgres) + auth + storage

Data category: All structured platform data + uploaded files

Data residency: Sydney, Australia (ap-southeast-2)

Data Processing Agreement: https://supabase.com/legal/dpa

Role: Application hosting + AI Gateway routing + Edge / Serverless functions

Data category: Request metadata, runtime logs, AI request payloads (transit-only)

Data residency: Multiple Vercel edge regions (configurable). AI Gateway: US-East primary

Data Processing Agreement: https://vercel.com/legal/dpa

Role: AI model provider (Claude Haiku 4.5) for legal Q&A and document analysis

Data category: User chat messages + uploaded documents (zero data retention enabled)

Data residency: United States

Data Processing Agreement: https://www.anthropic.com/legal/dpa

Role: Embedding model (text-embedding-3-large) for legislation retrieval

Data category: Legal text fragments + user chat queries (transit-only via Vercel AI Gateway)

Data residency: United States

Data Processing Agreement: https://openai.com/policies/data-processing-addendum

Role: Lawyer subscription billing

Data category: Transaction amounts, payer email, billing address, card data (handled by Stripe)

Data residency: Multiple regions; UAE acquiring via Stripe MENA

Data Processing Agreement: https://stripe.com/legal/dpa

Role: Transactional email delivery

Data category: Recipient email addresses + email content (booking, notification, system)

Data residency: United States (AWS us-east-1)

Data Processing Agreement: https://resend.com/legal/dpa

Role: Real-time messaging between clients and lawyers

Data category: Chat messages, attachments, user IDs, presence

Data residency: Multiple regions; data localisation per Stream account

Data Processing Agreement: https://getstream.io/legal/dpa

Role: Error monitoring + performance observability

Data category: Error stack traces + breadcrumbs (PDPL-safe primitives only — no message content)

Data residency: United States

Data Processing Agreement: https://sentry.io/legal/dpa

Role: Product analytics (event funnel, retention)

Data category: PII-free events: page views, feature interactions, slug + count props

Data residency: European Union (eu.i.posthog.com)

Data Processing Agreement: https://posthog.com/dpa

Several sub-processors above are based outside the UAE (Anthropic, OpenAI, Resend, Sentry — United States; Vercel — multi-region; PostHog — European Union). UAE PDPL Art. 22–26 permit transfers to such jurisdictions when (a) explicit user consent is provided, (b) the processor maintains adequate safeguards (DPA + technical controls), and (c) data minimisation is enforced.

For AI processing specifically, queries are routed through Vercel AI Gateway (zero data retention enabled) to Anthropic Claude. Anthropic is contractually bound to ZDR — your queries are not stored after the response is returned and are not used to train models. See our Privacy Policy section "AI Data Handling" for details.

If you object to any sub-processor's involvement, contact info@lexaidxb.com. Note that some sub-processors (Supabase, Stripe, Vercel) are essential infrastructure — objecting effectively means we cannot continue providing the service. Other sub-processors (Sentry, PostHog) are non-essential and can be partially disabled at the account level.

All PDPL rights requests (access, rectification, erasure, portability, objection), questions about sub-processors, cross-border transfer concerns, and breach notifications should be directed to LEXAI's Data Protection Officer:

Email: info@lexaidxb.com Location: Dubai, United Arab Emirates Response window: within 30 days of receipt, as required by UAE PDPL.

LEXAI operates a single unified inbox covering DPO, security disclosure, and general support; messages tagged "PDPL" or "DPO" in the subject line are routed to the data-protection workflow.