Sub-processors
Last updated: 25 May 2026
Codex uses the following sub-processors to operate the service. Each is bound by a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) where transfers leave the EEA. We notify customers via this page at least 30 days before adding a new sub-processor.
| Vendor | Purpose | Data shared | Region | Safeguard |
|---|---|---|---|---|
| Supabase (Lovable Cloud) | Database, auth, storage | Account, bookings, messages, content | EU (Frankfurt) | DPA, EU hosting |
| Cloudflare | CDN, DDoS protection, edge runtime | IP, request metadata | Global (EU edge) | DPA, SCCs |
| Stripe | Payments, fraud detection | Name, email, payment method, billing address | EU + US | DPA, SCCs, PCI-DSS L1 |
| Resend | Transactional email delivery | Email, name, message content | EU + US | DPA, SCCs |
| Klaviyo | Marketing email (opt-in only) | Email, name, engagement events | EU + US | DPA, SCCs |
| Google (OAuth) | Sign-in with Google | Email, name, avatar (only if you choose Google) | Global | DPA, SCCs |
| OpenAI / Google AI | AI chat & recommendations | Prompt text (no PII appended by us) | US | DPA, zero-retention API tier |
Data Processing Agreement
B2B customers (studios, employers) can request our DPA — including the full SCCs for international transfers — by emailing privacy@thecodex.world. We countersign within 5 business days.
Your rights
Under GDPR you can request access, rectification, deletion, restriction, or portability of your data. Logged-in users can self-serve at /account/privacy. Otherwise email privacy@thecodex.world — we respond within 30 days.
Changes
We post the change date at the top of this page. Material changes are also announced via email to active customers.