Toby
Book a demo

LEGAL

Sub-processors.

The third parties that process customer data on our behalf to deliver Toby. Updated whenever the list changes. Customers receive at least 30 days' notice before a new sub-processor goes live, with a right to object.

Effective May 15, 2026 · 7 sub-processors
Subscribe to updates

AI inference

Anthropic

SOC 2 Type II

Powers all AI features (Ask Toby chat, document drafting, legal review). Customer content is sent in single requests and is not retained for model training under our agreement.

Region
United States
Data access
Prompts + uploaded document content for the duration of a single inference request.
Anthropic DPA / legal terms ↗

Database

Neon

SOC 2 Type II

Managed Postgres database. Primary store for all customer data, including HR records, audit logs, and user identity.

Region
United States (AWS us-east-2). EU residency available on Enterprise.
Data access
Encrypted database storage. Neon engineers have no production credentials by default; access is broken-glass with audit logging.
Neon DPA / legal terms ↗

Edge runtime + storage

Cloudflare

SOC 2 Type II · ISO 27001 · PCI DSS

Application hosting (Workers), object storage for documents and audit exports (R2), DDoS protection, WAF, DNS.

Region
Globally distributed; R2 buckets pinned to US.
Data access
Encrypted-at-rest storage. Cloudflare staff cannot decrypt customer content; encryption keys are held in our control plane.
Cloudflare DPA / legal terms ↗

Authentication + identity

WorkOS

SOC 2 Type II

Sign-in, MFA, passkey enforcement, SAML SSO, SCIM directory sync. Stores the user identity layer.

Region
United States
Data access
Email, name, sign-in metadata (timestamps, IP for rate limiting and abuse detection).
WorkOS DPA / legal terms ↗

Transactional email

Resend

SOC 2 Type II

Sends transactional emails: magic links, notifications, demo-request acknowledgements, customer onboarding.

Region
United States
Data access
Email address, name, and the message body for the duration of delivery.
Resend DPA / legal terms ↗

Error tracking

Sentry

SOC 2 Type II

Captures application errors for diagnosis. Configured with aggressive PII scrubbing: request bodies, cookies, headers, and IPs are stripped before payload leaves the worker.

Region
United States
Data access
Stack traces and exception classes only. No customer content, no user identity.
Sentry DPA / legal terms ↗

Product analytics

PostHog

SOC 2 Type II

Tracks named events (e.g. "ai_completion_received"). Autocapture and session replay are disabled. User identifiers are SHA-256 hashed with a deploy-scoped salt.

Region
United States
Data access
Hashed user/tenant identifiers and event metadata. No PII, no document content.
PostHog DPA / legal terms ↗

Your rights as a customer

Under our Data Processing Agreement, you have the right to object to a new sub-processor on reasonable grounds within 30 days of our notice. If you object, we will work with you to find a mutually acceptable solution; if we cannot, you may terminate the affected portion of the service.

Customer-driven integrations (Slack, Teams, BambooHR, Rippling, Workday, Gusto, Greenhouse, Lever, Ashby, DocuSign, Google Workspace) are not sub-processors of Toby. They are your third-party tools that you authorize Toby to connect to on your behalf. Your relationship with those vendors is governed by your direct contract with them.