LeadLex
LEGAL

Sub-Processors

Last updated: 10 June 2026

LeadLex (Lead IP GmbH) engages the third-party sub-processors listed below to help provide the LeadLex platform. The list is built from an audit of the platform's actual third-party calls and verified provider documentation. Each sub-processor is bound by a data processing agreement with terms no less protective than those LeadLex offers its customers, processes personal data only on LeadLex's documented instructions, and — for any transfer outside the EEA — is covered by appropriate safeguards (EU-US Data Privacy Framework participation and/or the EU Standard Contractual Clauses).

Primary customer data — the database and each workspace's AI compute — is hosted in the EU (Frankfurt, Germany). Self-hosted components (for example, our self-hosted Langfuse LLM-tracing instance) run on our own EU Fly.io infrastructure and are not separate sub-processors.

This list is incorporated into the Data Processing Agreement as Annex 3.

1. Core platform (always used)

Sub-ProcessorPurposeLocationNotes
SupabaseDatabase, authentication, file storageEU (Frankfurt)SOC 2 Type II
Fly.ioPer-workspace AI compute (Firecracker microVMs) + self-hosted servicesEU (Frankfurt)SOC 2 Type II; ISO 27001 datacenters
VercelWeb-application hosting / edge deliveryEU regionsSOC 2 Type II
PostHogProduct analytics / usage telemetryEU Cloud (Frankfurt)SOC 2 Type II
ResendTransactional email (system notifications)EU (Dublin) sending regionSOC 2 Type II; SCCs/DPF for US-processed service metadata

2. AI providers

Sub-ProcessorPurposeLocationNotes
AnthropicAI inference (Claude)USSOC 2 Type II; ISO 27001; no training on customer data; ≤30-day retention
GoogleFallback AI inference (Gemini)USNo training on customer data
OpenAIText embeddings; optional voice transcription (Whisper)USSOC 2 Type II; no training on API data

3. Email & calendar (only when the customer connects their account)

Sub-ProcessorPurposeLocationNotes
MicrosoftOutlook/Microsoft 365 mail & calendar sync; SSO (Entra ID)Customer tenant / MicrosoftISO 27001; SOC 2 Type II
GoogleGmail / Google Calendar syncCustomer tenant / GoogleISO 27001; SOC 2 Type II

4. Optional messaging channels (only where the customer enables the channel)

Sub-ProcessorPurposeLocationNotes
TelegramLexi messaging channelTelegram FZ-LLCOpt-in
Meta / WhatsAppLexi messaging channelUS / IrelandOpt-in
Slack (Salesforce)Notifications / integrationUSSOC 2; opt-in
Microsoft (Bot Framework / Teams)Teams channelUSOpt-in
HubSpotCRM integration (API), where the customer connects itCustomer's HubSpot portal region — EU (Frankfurt) by default for European customersSOC 2 Type II; opt-in

5. Billing

Sub-ProcessorPurposeLocationNotes
StripeSubscription billing & paymentsUSPCI DSS Level 1; SOC 2 Type II

Public data sources (not sub-processors)

EPO / Open Patent Services, EUIPO, WIPO PatentScope, Espacenet, and Google Patents are queried for public IP, patent, and trademark records; no customer personal data is sent to them for processing.

Optional, user-initiated enrichment lookups (e.g. finding a business email address for a prospect) query specialist business-contact databases with only the minimal business identifiers needed for the lookup; details of the providers used are available on request.

Changes and Objection Rights

LeadLex notifies customers of any intended addition or replacement of a sub-processor by email at least 14 days before the new sub-processor begins processing personal data. Customers may object to a new sub-processor on reasonable data-protection grounds within 14 days of notice, as set out in Section 8.2 of the DPA.

To receive sub-processor change notifications, or to ask a question about this list, contact lexi@leadlex.com.

We onboard law firms one at a time.

Applications open. Reviewed every Tuesday.