Subprocessor List
Breachday LLC · breachday.io
Effective Date: May 30, 2026
Breachday LLC uses certain third-party service providers ("subprocessors") to host and operate the Breachday exercise platform.
Subprocessors process personal information and Customer Data only on Breachday's instructions to deliver the Service described in the Terms of Service and Privacy Policy.
This list applies to the Breachday application at app.breachday.io (authenticated org users, exercise participants, and public /build export processing).
Data location: Application Customer Data is hosted on Supabase Postgres in the United States. The application is deployed on Vercel in the United States.
Material Changes Notice
Breachday will provide reasonable advance notice of material subprocessor changes (e.g., email to registered account holders and/or in-Service notice). Customers may contact compliance@breachday.io with questions about subprocessors.
Subprocessors
| Subprocessor | Role | Data processed | Processing location |
|---|---|---|---|
| Supabase Privacy Policy | PostgreSQL database, authentication, realtime messaging, object storage | All application Customer Data stored in Breachday; user credentials (hashed passwords managed by Supabase Auth); organization logos and playbook PDF files in Supabase Storage; realtime exercise session events and presence | United States |
| Vercel Privacy Policy | Application hosting and serverless compute for the Next.js app (app.breachday.io) | HTTP request metadata and application request/response data passing through the hosting layer during page loads and API calls; Vercel does not persistently store Customer Data as part of normal application operation | United States |
| Stripe Privacy Policy | Payment processing, subscription billing, Customer Portal | Billing contact information, subscription and invoice records, payment method tokens and payment card data (stored and processed by Stripe, not Breachday); Breachday stores Stripe customer ID, subscription ID, price ID, and subscription status only | United States |
| Resend Privacy Policy | Transactional email delivery | Recipient email addresses and content of transactional emails only, including: email verification, password reset, organization invitations, support ticket notifications (new ticket, customer reply, staff reply), payment failure notices, subscription lapse and scheduled deletion warnings | United States |
| Inngest Privacy Policy | Scheduled and delayed background job orchestration | Job payloads needed to run scheduled operations (e.g., timed inject release, ephemeral session cleanup, subscription lifecycle warnings and org purge, dormant unverified signup cleanup). Inngest does not persist Customer Data as a data store for Breachday; payloads are transient for job execution | United States |
| OpenRouter Privacy Policy | AI model routing for AI Scenario Builder and Weekly Scenario Recommendations | AI Scenario Builder — scenario prompts and structural parameters submitted by authenticated users. Weekly Scenario Recommendations — publicly available threat intelligence headlines and internal template metadata only. Zero Data Retention (ZDR) enforced on all requests; no data stored or used for model training. Free-tier models disabled. | United States |
Note: Stripe's JavaScript (js.stripe.com) is loaded on billing and checkout flows; governed by Stripe's privacy policy.
What is not a subprocessor
Exercise Participants who join via room code are not subprocessors. Customer organizations remain responsible for how they share room codes/passwords with participants. Exported files (PDF/DOCX/JSON downloads) are the Customer's responsibility once downloaded.
Security and Contracts
Subprocessors are engaged under agreements requiring them to process data only to provide services to Breachday and implement appropriate security measures.
Contact
Compliance: compliance@breachday.io