This page lists every third-party sub-processor that 1st Place AI uses to deliver the AI Domination service. Each entry describes the sub-processor, the purpose of the processing, the categories of personal data involved, and the location of processing. The list is maintained current; we'll notify Customers at least 30 days before engaging a new sub-processor (see /legal/dpa Section 5).
If your organization needs the list machine-readably (e.g., to feed into a vendor-management system), email privacy@example.com — we'll send a JSON or CSV snapshot.
Core platform
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Vercel | Application hosting, edge functions, request routing, content delivery network. | All Customer Personal Data submitted to the Service, as it transits through our hosting layer. | Global (multi-region; primarily US-East and EU-West). |
| Postgres provider (Neon / Supabase / Vercel Postgres — varies by deployment region) | Primary application database. | All Customer Personal Data stored by the Service. | EU-West and US-East (replicated). |
| S3-compatible object storage (Cloudflare R2 / AWS S3 / Backblaze B2 — varies by deployment region) | Storage of uploaded assets (logos, content images, report covers), data-export archives, and large content artifacts. | Files the Customer uploads; data-export archives; report covers. | EU-West and US-East (depending on tenancy). |
AI inference
We route content-generation, audit-analysis, chat, and tool-use requests through multiple AI providers. The Customer's specific model choice is configured per-workspace (the Customer can disable any provider in /settings/integrations).
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Anthropic (Claude API) | Primary LLM for content generation, audit analysis, chat, tool calls. | Prompts the Service sends on the Customer's behalf — typically content briefs, audit findings, and the Customer's own documents the Service is processing. | US (with EU residency available on enterprise plans). |
| OpenAI | Secondary LLM and embeddings provider. | Same as Anthropic. | US. |
| Perplexity | Web-search-grounded LLM used for visibility tests. | Prompts the Service sends to test the Customer's visibility in AI search results. | US. |
| Google (Gemini) | LLM used for visibility tests; alternative content generation. | Prompts the Service sends on the Customer's behalf. | US. |
| xAI (Grok) | LLM used for visibility tests; alternative content generation. | Prompts the Service sends on the Customer's behalf. | US. |
| Microsoft (Copilot) | LLM used for visibility tests. | Prompts the Service sends on the Customer's behalf. | US. |
Each AI provider is bound by their own data-processing agreement with us. None of them are authorized to train their models on Customer Personal Data — we've executed every available zero-retention or no-training option each provider offers.
Payments
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Stripe | Payment processing, subscription management, tax calculation. | Billing contact name, email, billing address, VAT/tax identifier. Card numbers go to Stripe directly and are never seen by 1st Place AI. | US (Stripe is a PCI-DSS Level 1 certified service provider; EU customer data is processed under Stripe's EU SCCs). |
Email and communications
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Resend | Transactional email delivery (verification, password reset, deletion confirmation, approval notifications, billing receipts). | Recipient email address, subject line, and email body — which may contain links to the workspace and the recipient's name. | US (with EU residency option). |
Integrations the Customer connects
When the Customer connects an integration, the Customer's interaction with that third party is governed by the third party's own terms and privacy policy, not by this DPA. We list them here for transparency.
| Integration | Purpose | Data categories |
|---|---|---|
| Cross-posting approved content to a connected LinkedIn profile or page. | OAuth token (encrypted at rest), post content, scheduled publish time. | |
| Slack | Posting platform notifications into a Slack channel; bot install for /commands and rich message formatting. | OAuth bot token (encrypted at rest), channel IDs, post content. |
| WordPress (.com and self-hosted) | Publishing approved articles, FAQs, location pages. | OAuth or app-password token (encrypted at rest), post content. |
| Webflow | Publishing approved content into a Webflow CMS collection. | OAuth token (encrypted at rest), content. |
| Shopify | Publishing approved content into a Shopify blog. | OAuth token (encrypted at rest), content. |
| Wix | Publishing approved content. | OAuth token (encrypted at rest), content. |
| Squarespace | Publishing approved content. | API key (encrypted at rest), content. |
| Publishing approved community content (gated behind the platform's shadow-mode safety rails). | OAuth token (encrypted at rest), post content, subreddit, scheduled publish time. | |
| OAuth sign-in (Google Workspace logins). | OAuth profile (name, email, profile image). |
Observability
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Vercel Logs | Server-log aggregation, error tracing, performance monitoring. | Request paths, response codes, error stacks. May incidentally include personal data that appears in request paths (e.g., a workspace slug). 30-day retention. | Global (multi-region). |
How to object
Under our DPA you may object to a new sub-processor on reasonable data-protection grounds. Email privacy@example.com within 30 days of being notified of a new sub-processor. We will work with you in good faith to resolve the objection; if no resolution is possible you may terminate the Agreement on written notice.
Updates
We update this page whenever the sub-processor list changes — adding, removing, or replacing an entry. The "Effective date" stamp at the top of the page reflects the most recent change. Customers on plans that include the DPA receive an email notification at least 30 days before a new sub-processor goes live.