Home / Sub-processors
Sub-processors
Last updated: May 17, 2026
Purpose of this page
LEXAI uses third-party services to deliver parts of the platform (database, AI, lawyer-subscription billing, email, messaging, observability). UAE PDPL Art. 6 requires us to disclose every external processor that handles your personal data, the purpose, and the data residency. This page is the canonical list. We update it whenever a new sub-processor is added or an existing one rotates infrastructure.
Last reviewed: 2026-05-17
Supabase
Role: Database hosting (Postgres) + auth + storage
Data category: All structured platform data + uploaded files
Data residency: Sydney, Australia (ap-southeast-2)
Data Processing Agreement: https://supabase.com/legal/dpa
Vercel
Role: Application hosting + AI Gateway routing + Edge / Serverless functions
Data category: Request metadata, runtime logs, AI request payloads (transit-only)
Data residency: Multiple Vercel edge regions (configurable). AI Gateway: US-East primary
Data Processing Agreement: https://vercel.com/legal/dpa
Anthropic
Role: AI model provider (Claude Haiku 4.5) for legal Q&A and document analysis
Data category: User chat messages + uploaded documents (not used to train models)
Data residency: United States
Data Processing Agreement: https://www.anthropic.com/legal/dpa
OpenAI
Role: Embedding model (text-embedding-3-large) for legislation retrieval
Data category: Legal text fragments + user chat queries (transit-only via Vercel AI Gateway)
Data residency: United States
Data Processing Agreement: https://openai.com/policies/data-processing-addendum
Stripe
Role: Lawyer subscription billing (internal only — not used for client payments)
Data category: Lawyer subscription amounts, lawyer billing email, lawyer billing address
Data residency: Stripe-managed regions
Data Processing Agreement: https://stripe.com/legal/dpa
Resend
Role: Transactional email delivery
Data category: Recipient email addresses + email content (account, notification, system)
Data residency: United States (AWS us-east-1)
Data Processing Agreement: https://resend.com/legal/dpa
Stream Chat
Role: Real-time messaging between clients and lawyers
Data category: Chat messages, attachments, user IDs, presence
Data residency: Multiple regions; data localisation per Stream account
Data Processing Agreement: https://getstream.io/legal/dpa
Sentry
Role: Error monitoring + performance observability
Data category: Error stack traces + breadcrumbs (PDPL-safe primitives only — no message content)
Data residency: United States
Data Processing Agreement: https://sentry.io/legal/dpa
PostHog
Role: Product analytics (event funnel, retention)
Data category: PII-free events: page views, feature interactions, slug + count props
Data residency: European Union (eu.i.posthog.com)
Data Processing Agreement: https://posthog.com/dpa
Microsoft Clarity
Role: Session replay + behavioural analytics (click / scroll heatmaps, interaction recordings)
Data category: Session recordings + interaction events (loaded only after analytics-cookie consent)
Data residency: United States
Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Google (Google Ads / Google tag)
Role: Advertising conversion measurement for paid-search campaigns (loaded only after you accept cookies)
Data category: Cookie / click identifiers + a conversion event (e.g. a founding-member reservation). The browser tag sends no name, email, or phone
Data residency: United States / global Google infrastructure
Data Processing Agreement: https://business.safety.google/adsprocessorterms/
Cross-border transfers
Several sub-processors above are based outside the UAE (Anthropic, OpenAI, Resend, Sentry — United States; Vercel — multi-region; PostHog — European Union). UAE PDPL Art. 22–26 permit transfers to such jurisdictions when (a) explicit user consent is provided, (b) the processor maintains adequate safeguards (DPA + technical controls), and (c) data minimisation is enforced.
For AI processing specifically, queries are routed through Vercel AI Gateway to Anthropic Claude. We send only what is needed to answer your question, and your data is not used to train models. See our Privacy Policy section "AI Data Handling" for details.
How to object
If you object to any sub-processor's involvement, contact info@lexaidxb.com. Note that some sub-processors (Supabase, Vercel) are essential infrastructure — objecting effectively means we cannot continue providing the service. Stripe processes lawyer-subscription billing only and never receives client data. Other sub-processors (Sentry, PostHog) are non-essential and can be partially disabled at the account level.
Data Protection Officer (DPO) contact
All PDPL rights requests (access, rectification, erasure, portability, objection), questions about sub-processors, cross-border transfer concerns, and breach notifications should be directed to LEXAI's Data Protection Officer:
Email: info@lexaidxb.com Location: Dubai, United Arab Emirates Response window: within 30 days of receipt (our service commitment).
LEXAI operates a single unified inbox covering DPO, security disclosure, and general support; messages tagged "PDPL" or "DPO" in the subject line are routed to the data-protection workflow.
Questions?
If you have questions about this policy, contact us at info@lexaidxb.com
