HIRA-4D Subprocessor List
Last updated: 16 March 2026
The following third-party subprocessors process personal information on behalf of HIRA-4D customers:
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Supabase Inc. | Database hosting, storage, backups | Zurich, CH (eu-central-2) | SOC 2 Type II, GDPR compliant |
| Clerk Inc. | Authentication, SSO, user management | USA | SOC 2 Type II, GDPR compliant, DPA in place |
| Vercel Inc. | Application hosting, CDN | Global edge | SOC 2 Type II, No PII stored at edge, GDPR compliant |
| Stripe Inc. | Payment processing | USA | PCI DSS Level 1, SOC 2 Type II, GDPR compliant |
| Anthropic PBC (Claude API) | AI processing (SDS parsing, hazard assist) | USA | SOC 2 Type II, Data not used for model training, DPA in place |
Notes
Clerk (authentication): Processes email addresses and authentication tokens. Worker personal information (names, DOBs, health data) is NOT stored in Clerk. Only account administrator credentials pass through Clerk.
Vercel (hosting): Serves the application code. No personal information is stored at edge locations. All data requests route to Supabase in Zurich.
Stripe (payments): Processes payment card information only. No EHS data or worker personal information passes through Stripe.
Claude API (AI): Used for SDS parsing and hazard identification assistance. Anthropic does not retain input data for model training under our API agreement.
Change Notification
We will notify customers at least 30 days before engaging any new subprocessor that processes personal information. Notifications are sent to account administrator email addresses. Customers may object to a new subprocessor within 14 days of notification by contacting info@ohconsultant.com.au.
Questions: info@ohconsultant.com.au