1. Overview
LinkEdu.AI uses third-party service providers ("subprocessors") to deliver specific platform functions. Each subprocessor processes personal data solely on behalf of LinkEdu.AI under contractual obligations. This page lists all current subprocessors, their purpose, the categories of data processed, and their hosting locations.
Data Processing Agreements (DPAs) are in place with all subprocessors in accordance with GDPR Article 28 and other applicable data protection regulations.
2. Subprocessor Vetting & Due Diligence
Before engaging any subprocessor, LinkEdu.AI performs due diligence to evaluate their data protection practices. This includes:
- Security and privacy posture assessment
- Review of data protection and incident response practices
- Verification of contractual safeguards, including a signed Data Processing Agreement (DPA)
- Ongoing monitoring of compliance and service performance
3. International Data Transfers
All subprocessors processing personal data outside the European Economic Area (EEA) are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent legal mechanisms, in accordance with GDPR requirements.
The primary data processing location for LinkEdu.AI is the United States. Where subprocessors operate global infrastructure (e.g., CDN edge networks), data exposure is limited to request-level metadata and does not include application-level personal data.
4. Subprocessor List
The following subprocessors are currently engaged by LinkEdu.AI:
| Subprocessor | Category | Purpose | Data Processed | Location | DPA |
|---|---|---|---|---|---|
| Supabase (Supabase Inc.) | Infrastructure | User authentication, relational database, and session management | Hashed credentials, user profiles, application records | United States (AWS us-east-1) | Yes |
| MongoDB (MongoDB Inc.) | Infrastructure | Document storage for AI analysis history, application data, and operational records | AI analysis snapshots, application metadata, CRM records | United States | Yes |
| OpenAI (OpenAI LLC) | AI Processing | AI-powered admission analysis, advisory responses, and program recommendations | Anonymized academic profile context and user queries (no direct identifiers sent) | United States | Yes |
| Stripe (Stripe Inc.) | Payments | Payment processing for institutional subscription plans | Tokenized payment card details, billing address, transaction identifiers | United States | Yes |
| Resend (Resend Inc.) | Communications | Transactional email delivery (application updates, security notifications, confirmations) | Email address and notification content (no academic or financial data) | United States | Yes |
| Cloudflare (Cloudflare Inc.) | CDN / Security | Content delivery, DDoS protection, and edge security | IP addresses, HTTP request metadata (no application-level personal data) | Global (edge network) | Yes |
| Vercel (Vercel Inc.) | Infrastructure | Frontend hosting and static asset delivery | Static assets and access logs (no personal data stored) | United States (Global CDN) | Yes |
5. Data Minimization
Each subprocessor is granted access only to the minimum data necessary to perform its specific function. No subprocessor receives more data than is required for its stated purpose.
Where possible, data is anonymized or pseudonymized before being transmitted to subprocessors. For example, AI processing subprocessors receive anonymized profile context rather than direct personal identifiers.
6. Changes to This List
LinkEdu.AI may update this subprocessor list as new providers are engaged or existing ones are discontinued. When material changes occur, we will:
- Update this page with the new subprocessor details
- Notify affected users via email at least 30 days before the change takes effect
- Provide an opportunity to object to the new subprocessor within that notice period
Users may request notifications of subprocessor changes by contacting privacy@linkedu.ai.
7. Legal Basis for Subprocessor Engagement
Subprocessors act solely on behalf of LinkEdu.AI under contractual obligations and do not process personal data for their own independent purposes. Processing is carried out under the legal bases described in our Privacy Policy, including contractual necessity, legitimate interest, and user consent where applicable.
8. Contact
For questions about our subprocessors, to request change notifications, or for data protection inquiries:
- Data Protection: privacy@linkedu.ai
- DPA Requests: Submit a DPA request
- Security Inquiries: Security request form
- Legal: legal@linkedu.ai