Who touches your data, disclosed.
Dijin uses a short list of subprocessors. Here's every one, what it sees, and where. One ledger, kept current.
Supabase (Stockholm)
Authenticated kg.* rows (claims, entities, evidence, audit_logs) under per-user RLS. Operates the Postgres + Edge Functions substrate.
Cloudflare R2
Owner-signed encrypted DMF archives (vault canonical) + audit snapshots. Object content is ciphertext; bucket metadata is operational.
Vercel
Web app hosting + serverless function execution. Request logs (URL, method, status, latency) for operability; no request body content is retained.
Google Gemini (embeddings)
Query text and derived claim text, sent to produce vector embeddings for recall ranking. Not raw transcript plaintext.
Anthropic Claude (extraction + Memory Kernel composer)
Two Cloud Intelligence ON paths: (1) extraction — raw segment plaintext ephemerally during one extraction job, to derive entities and claims (held only for the job, discarded after); (2) answer-time — an EvidencePack (already-derived claims + their citations) plus the user's query text, to compose grounded answers under the composer-only policy (Memory Kernel S3); the LLM never authors a fact, only cites the pack.
Paddle (web billing)
Web subscription transactions (Pro annual, Plus annual). Acts as Merchant of Record; sees billing identity + card details (Dijin does not). Plus on iOS/iPadOS/macOS is billed by Apple App Store, not Paddle.
Cloudflare Turnstile
Sign-up / sign-in challenge tokens. Bot-mitigation challenge result only; no Dijin content crosses.
This is the same ledger the trust center and the DPA render from, the three can never disagree.