Legal

Subprocessors

Last updated: May 3, 2026

Why this page exists. CourtFlow AI uses a small number of specialized vendors to deliver the Service. This page lists every entity (a "Subprocessor") that may process customer data on our behalf, what each one does, and the categories of data we share with it. It is the authoritative list referenced by our Data Processing Addendum and Privacy Policy.

1. Service Subprocessors

The following Subprocessors process customer data in the ordinary course of operating CourtFlow AI. All are bound by written agreements that impose data-protection obligations no less protective than those in our agreement with you.

Subprocessor	Purpose	Data Categories	Region
Google LLC	OAuth identity, Gmail (court e-service ingest, label, send), Google Drive (document filing), Google Calendar (deadline events), Google Tasks (deadline tasks).	Account profile, email metadata + body for messages identified as court e-service, OAuth refresh and access tokens (encrypted at rest).	United States
Microsoft Corporation	OAuth identity (Azure AD), Outlook (court e-service ingest, label, send), OneDrive (document filing), Microsoft Calendar, Microsoft To Do.	Account profile, email metadata + body for messages identified as court e-service, OAuth refresh and access tokens (encrypted at rest).	United States
Google Cloud / Gemini API	AI document analysis, deadline extraction, case briefing, draft generation, probate drafting.	PDF/DOCX/EML court documents (in transit only), case metadata, prompts. Not used to train Gemini models.	United States
Anthropic, PBC	Claude API for the courtflow.ai sales chat widget and internal content/SEO automation.	Sales-chat conversation transcripts and CourtFlow-authored prompts. No customer case data, court documents, or email content.	United States
CourtListener (Free Law Project, Inc.)	Verification of AI-generated case law citations; sourcing of weekly Florida court opinion digest.	Citation strings only. No client data, case details, or document content.	United States
Supabase Inc.	Managed PostgreSQL database hosting (case metadata, deadlines, analysis summaries, audit logs).	All persisted application data except documents (which live in Customer Drive/OneDrive). Encrypted at rest with AES-256.	United States (us-east region)
Vercel Inc.	Application hosting, edge network, serverless functions, scheduled cron triggers.	Request payloads in transit; no persistent storage of customer data on Vercel infrastructure.	United States
Upstash, Inc.	Managed Redis (rate-limit counters, short-lived caches) and QStash (scheduled-job queue).	Opaque identifiers, request metadata, and access tokens cached for ~1 hour. No client documents or case content.	United States
Stripe, Inc.	Subscription billing, payment method handling, invoice + receipt delivery, billing portal.	Billing email, firm name, payment method (handled directly by Stripe; CourtFlow never receives card numbers). PCI DSS Level 1.	United States
Resend (Resend Inc.)	Transactional email delivery (welcome, briefings, alerts) and inbound email receiving for federal CM/ECF NEF processing.	Recipient address, message body. Inbound NEF emails routed via dedicated subdomain.	United States
Functional Software, Inc. (Sentry)	Error monitoring and performance tracking.	Stack traces and request metadata, with PII actively scrubbed via lib/sentry-scrub.ts before transmission. No client documents, email content, or OAuth tokens.	United States
LinkedIn Corporation	Composing and publishing posts to the CourtFlow company page (admin-only outbound marketing).	Posts authored by CourtFlow staff. No customer or case data.	United States
PACER (Administrative Office of the U.S. Courts)	One-time free-look retrieval of federal court filing PDFs referenced in NEF emails.	Public docket data only. No CourtFlow PACER credentials are stored; access is via the per-message free-look URL.	United States

2. Customer-Controlled Storage (Not Subprocessors of CourtFlow)

Court documents, case files, and client materials processed through the Service are filed directly to your own Google Drive or Microsoft OneDrive account using the OAuth grant you provide at sign-up. Those storage providers are not Subprocessors of CourtFlow — you are the customer and the data controller of your own Drive/OneDrive tenant, and you can revoke our access at any time from your provider's account settings. CourtFlow does not retain copies of these documents on its own infrastructure.

3. Notification of New Subprocessors

Before we engage a new Subprocessor that will process customer data, we will update this page and post the change to the changelog. We aim to provide at least 30 days' notice in advance of any new Subprocessor going live, except where a faster engagement is required to maintain Service availability or to address a security risk; in those cases we will notify customers as soon as practicable.

To receive proactive notification, contact us at privacy@courtflow.ai and ask to be added to the Subprocessor change list.

4. Right to Object

If you have a reasonable, documented basis to object to a new Subprocessor — for example, a regulatory restriction in your jurisdiction or a legal-ethics constraint on the storage of client data — you may notify us at privacy@courtflow.ai within 30 days of our notice. We will work in good faith to find a workable resolution. If no commercially reasonable resolution can be reached, you may terminate the affected Service for cause and receive a pro-rata refund of any prepaid fees covering the period after termination.

5. Removed or Replaced Subprocessors

When a Subprocessor is removed or replaced, we will note the change in the changelog and, where applicable, describe how data previously handled by that Subprocessor has been migrated, returned, or deleted.

Questions?

For questions about a specific Subprocessor or to request a change-notification subscription, contact privacy@courtflow.ai.