Skip to main content

Home / Sub-processors

Sub-processors

Last updated: May 17, 2026

Purpose of this page

LEXAI uses third-party services to deliver parts of the platform (database, AI, lawyer-subscription billing, email, messaging, observability). UAE PDPL Art. 6 requires us to disclose every external processor that handles your personal data, the purpose, and the data residency. This page is the canonical list. We update it whenever a new sub-processor is added or an existing one rotates infrastructure.

Last reviewed: 2026-05-17

Supabase

Role: Database hosting (Postgres) + auth + storage

Data category: All structured platform data + uploaded files

Data residency: Sydney, Australia (ap-southeast-2)

Data Processing Agreement: https://supabase.com/legal/dpa

Vercel

Role: Application hosting + AI Gateway routing + Edge / Serverless functions

Data category: Request metadata, runtime logs, AI request payloads (transit-only)

Data residency: Multiple Vercel edge regions (configurable). AI Gateway: US-East primary

Data Processing Agreement: https://vercel.com/legal/dpa

Anthropic

Role: AI model provider (Claude Haiku 4.5) for legal Q&A and document analysis

Data category: User chat messages + uploaded documents (not used to train models)

Data residency: United States

Data Processing Agreement: https://www.anthropic.com/legal/dpa

OpenAI

Role: Embedding model (text-embedding-3-large) for legislation retrieval

Data category: Legal text fragments + user chat queries (transit-only via Vercel AI Gateway)

Data residency: United States

Data Processing Agreement: https://openai.com/policies/data-processing-addendum

Stripe

Role: Lawyer subscription billing (internal only — not used for client payments)

Data category: Lawyer subscription amounts, lawyer billing email, lawyer billing address

Data residency: Stripe-managed regions

Data Processing Agreement: https://stripe.com/legal/dpa

Resend

Role: Transactional email delivery

Data category: Recipient email addresses + email content (account, notification, system)

Data residency: United States (AWS us-east-1)

Data Processing Agreement: https://resend.com/legal/dpa

Stream Chat

Role: Real-time messaging between clients and lawyers

Data category: Chat messages, attachments, user IDs, presence

Data residency: Multiple regions; data localisation per Stream account

Data Processing Agreement: https://getstream.io/legal/dpa

Sentry

Role: Error monitoring + performance observability

Data category: Error stack traces + breadcrumbs (PDPL-safe primitives only — no message content)

Data residency: United States

Data Processing Agreement: https://sentry.io/legal/dpa

PostHog

Role: Product analytics (event funnel, retention)

Data category: PII-free events: page views, feature interactions, slug + count props

Data residency: European Union (eu.i.posthog.com)

Data Processing Agreement: https://posthog.com/dpa

Microsoft Clarity

Role: Session replay + behavioural analytics (click / scroll heatmaps, interaction recordings)

Data category: Session recordings + interaction events (loaded only after analytics-cookie consent)

Data residency: United States

Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Google (Google Ads / Google tag)

Role: Advertising conversion measurement for paid-search campaigns (loaded only after you accept cookies)

Data category: Cookie / click identifiers + a conversion event (e.g. a founding-member reservation). The browser tag sends no name, email, or phone

Data residency: United States / global Google infrastructure

Data Processing Agreement: https://business.safety.google/adsprocessorterms/

Cross-border transfers

Several sub-processors above are based outside the UAE (Anthropic, OpenAI, Resend, Sentry — United States; Vercel — multi-region; PostHog — European Union). UAE PDPL Art. 22–26 permit transfers to such jurisdictions when (a) explicit user consent is provided, (b) the processor maintains adequate safeguards (DPA + technical controls), and (c) data minimisation is enforced.

For AI processing specifically, queries are routed through Vercel AI Gateway to Anthropic Claude. We send only what is needed to answer your question, and your data is not used to train models. See our Privacy Policy section "AI Data Handling" for details.

How to object

If you object to any sub-processor's involvement, contact info@lexaidxb.com. Note that some sub-processors (Supabase, Vercel) are essential infrastructure — objecting effectively means we cannot continue providing the service. Stripe processes lawyer-subscription billing only and never receives client data. Other sub-processors (Sentry, PostHog) are non-essential and can be partially disabled at the account level.

Data Protection Officer (DPO) contact

All PDPL rights requests (access, rectification, erasure, portability, objection), questions about sub-processors, cross-border transfer concerns, and breach notifications should be directed to LEXAI's Data Protection Officer:

Email: info@lexaidxb.com Location: Dubai, United Arab Emirates Response window: within 30 days of receipt (our service commitment).

LEXAI operates a single unified inbox covering DPO, security disclosure, and general support; messages tagged "PDPL" or "DPO" in the subject line are routed to the data-protection workflow.

Questions?

If you have questions about this policy, contact us at info@lexaidxb.com