1. About This Page

A "subprocessor" is a third-party service we use to help operate Hugin that may process Customer Data on our behalf. This page is the authoritative, public list of Hugin's subprocessors. It is referenced by, and forms part of, our Privacy Policy and our Data Processing Addendum.

We publish this list so customers, their data protection teams, and their auditors can see who processes data and where, and so that we do not have to rewrite our core policies every time a vendor is added or replaced. We maintain it as Hugin evolves.

This page covers the categories of providers we use. We may use additional infrastructure, security, or operational tooling that does not process Customer Data, and we may change the specific products within a category, without separately listing every such tool.

2. How We Notify You of Changes

We may add, remove, or replace subprocessors as Hugin develops. When we make a material change to this list:

we update this page and the "Last updated" date and changelog below;
for customers who have signed our Data Processing Addendum and subscribed to notifications, we provide notice (by email or in-product) at least 30 days before a new subprocessor begins processing personal data, where reasonably practicable;
a customer with a signed DPA may object to a new subprocessor on reasonable, documented data-protection grounds as described in the DPA.

To subscribe to subprocessor change notifications, email fixeonai@gmail.com.

3. Core Product Subprocessors

These providers help us run the Hugin product (the application, APIs, MCP endpoints, background processing, and storage).

Subprocessor	Purpose	Data processed	Primary location
Vercel Inc.	Application hosting, serverless compute, edge network, scheduled jobs	Application requests and responses, IP-derived connection metadata	United States (global edge)
Supabase, Inc.	Primary database (Postgres), authentication, file/object storage, access control (RLS)	Account and workspace data, authentication identities (email, hashed password, OAuth identity), ingested source content (encrypted at rest), embeddings, derived context, traces, audit logs, billing records, stored files and media	United States (project hosting region)
Trigger.dev Ltd.	Durable background jobs and workflow execution (ingestion, synthesis, deletion, exports)	Workspace and source identifiers and the content payloads processed by those jobs	United Kingdom
Upstash, Inc.	Caching, rate limiting, locks, idempotency, semantic cache	Cache keys, rate-limit counters, idempotency keys, and cached embeddings/results	United States / global

4. AI and Model Processing

Hugin routes all AI model traffic (text, vision, audio transcription, and embeddings) through a single gateway operating in zero-data-retention (ZDR) mode.

Subprocessor	Purpose	Data processed	Primary location
OpenRouter, Inc.	AI model gateway that routes inference and embedding requests to approved underlying model providers	Retrieved company context, queries, source text, images, and audio submitted for inference or embedding — sent only as needed to process a request	United States; routes to model providers in the US and EU

Underlying model providers reached through the gateway currently include Groq, DeepInfra, and Nebius, running models in the Qwen, OpenAI, and NVIDIA families. We may add, remove, or re-route to other approved providers and models over time.

Our standing commitments for AI processing:

We do not use Customer Data to train, fine-tune, or improve any AI model (ours or a third party's). All model calls are inference-only.
Every model call is forced into zero-data-retention mode (the gateway sets "deny data collection" and "zero data retention" on every request, and our code rejects any attempt to override this). Approved routes are limited to providers that support no-retention processing.
See the Privacy Policy and our AI processing commitments for detail.

5. Billing and Payments

Subprocessor	Purpose	Data processed	Primary location
Polar Software, Inc.	Merchant of Record, checkout, subscriptions, usage billing, invoicing, tax handling, refunds, and customer billing portal	Billing-account identifiers, customer name and email, plan, subscription and usage metadata, refund and cancellation records	United States

Polar acts as the Merchant of Record and authorized reseller for Hugin purchases, and is the seller of record for the transaction. Polar uses Stripe as its underlying payment processor. Hugin never receives or stores full payment card numbers, and Hugin does not operate its own payment processing or tax engine. Payment card data is handled by Polar and its payment processor under their own terms and security standards.

6. Communications

Subprocessor	Purpose	Data processed	Primary location
Resend, Inc.	Transactional and notification email delivery	Recipient email address, message subject and body, and delivery/event metadata	United States
Slack Technologies, LLC (Salesforce)	Optional dedicated support channel (Slack Connect) for eligible plans	Customer email (to invite to the channel), workspace name, and messages exchanged in the support channel	United States

Slack is used only for customers who are provisioned a dedicated support/Slack Connect channel (generally annual or Team/Custom plans). It is not used for other customers.

7. Analytics and Security

Subprocessor	Purpose	Data processed	Primary location
PostHog, Inc.	Product analytics and telemetry	Pseudonymous user and workspace identifiers and sanitized event metadata. Message/query content, prompts, emails, secrets, and similar sensitive values are stripped before any data is sent to analytics.	United States (US Cloud)
Cloudflare, Inc.	Bot/abuse protection (CAPTCHA) on authentication, and network security	Challenge tokens and related connection/security metadata	United States (global)

8. Customer-Enabled Connectors (Customer-Directed)

When a customer connects a data source, Hugin reads data from that source at the customer's direction. These sources are chosen and authorized by the customer, are not Hugin's subprocessors, and are governed by the customer's own agreements with those providers. Hugin uses Composio, Inc. (United States) as the integration platform that brokers connector authorization (OAuth) and read access to connected sources; Composio holds the connector OAuth credentials.

All Hugin connectors are read-only. The available sources evolve over time and currently include (non-exhaustive): Slack, Microsoft Teams, Gmail, Outlook, Google Drive, Google Docs, Google Sheets, Google Calendar, OneDrive, Notion, Confluence, Coda, Slite, GitHub, GitLab, Bitbucket, Linear, Jira, Asana, ClickUp, Monday, Wrike, Shortcut, Todoist, TickTick, Zendesk, Intercom, Freshdesk, Help Scout, Gorgias, HubSpot, Salesforce, Pipedrive, Attio, Apollo, Close-style CRMs, Stripe, Brex, Ramp, PandaDoc, Airtable, Metabase, Mixpanel, Datadog, Sentry, PagerDuty, incident.io, Figma, Canva, Miro, Mural, Webflow, Contentful, Calendly, Gong, Fireflies, tl;dv, Zoom, Webex, Google Meet, Dovetail, Typeform, SurveyMonkey, Canny, BambooHR, Workable, Mailchimp, Brevo, Klaviyo, Customer.io, ActiveCampaign, Instantly, Lemlist, YouTube, Box, Harvest, Zep, and customer-defined custom/push sources, among others.

A current, in-product list of available connectors is shown in the application.

9. Processing That Stays Within Hugin (No Third Party)

Not all processing involves a third party. Several capabilities run inside Hugin's own infrastructure, without sending Customer Data to an external provider, including: document, spreadsheet, PDF, image, audio, and video parsing; optical character recognition (OCR); text chunking and tokenization; and PII redaction. We mention this so it is clear that, where we can process data in-house, we do.

10. Changelog

Date	Change
June 16, 2026	Initial published subprocessor list.

11. Contact

Questions about our subprocessors, or requests to subscribe to change notifications:

Fixeon AI Labs

No.2 Haile Selassie Street, Asokoro, Abuja, Nigeria

fixeonai@gmail.com