Sub-processors
Last updated: May 24, 2026
tryugcai engages the third-party sub-processors listed below to deliver the Service. We sign Data Processing Addenda (DPAs) with each vendor and remain liable for their acts and omissions under our customer-facing DPA. A copy of our customer DPA is available on request to [email protected].
We notify customers at least 30 days in advance of any new sub-processor or material change to this list. To receive notifications, ensure your account email is current in Settings.
| Sub-processor | Purpose | Data categories | Region |
|---|---|---|---|
| Railway DPA / Privacy | Application hosting (API, web app, BullMQ worker, managed Postgres and Redis) | All application data: user accounts, video metadata, job queue payloads, request logs | us-east (Railway Metal) |
| AWS S3 DPA / Privacy | Object storage for uploaded assets and rendered video files | Workspace ID, video files, uploaded product images, reference video files | us-east-1 |
| Cloudflare DPA / Privacy | DNS, edge proxy, DDoS protection, TLS termination for tryugcai.com | Connection metadata (IP address, user-agent, request path) | Global edge |
| Stripe DPA / Privacy | Payment processing, subscription billing, invoicing | Email, billing address, payment method (card details remain in Stripe's PCI scope and never touch our servers), Stripe customer ID | US (multi-region) |
| OpenAI DPA / Privacy | Script/copy generation, product still + scene image generation (gpt-image-2), brief content moderation (Moderation API), transcription (Whisper) | Submitted brief text, generated script, uploaded product/reference images, audio for transcription | US |
| Anthropic DPA / Privacy | Script and shot-list planning, and automated clip quality review (Claude models) | Submitted brief text, generated script, sampled video frames for quality checks | US |
| Fal.ai DPA / Privacy | Avatar lip-sync, image-to-video motion, and product/scene image generation (routes to Kling AI-Avatar, Seedance, Flux, and Nano Banana models) | Uploaded product/reference image (signed URL), prompt text, generated image + MP4 files | US |
| Pexels DPA / Privacy | Stock video b-roll search | Search keywords only — no user PII transmitted | Multi-region (CDN) |
| Resend DPA / Privacy | Transactional email delivery (verify email, password reset, account-deletion notices, new-device security alerts) | Recipient email address, email subject and body | AP-Northeast-1 (Tokyo) |
| PostHog DPA / Privacy | Product analytics (aggregated funnel events for product improvement) | Workspace ID, anonymized event metadata, IP-derived geolocation (country only) | US (us.i.posthog.com) |
| Sentry DPA / Privacy | Application error tracking and performance monitoring | Error stack traces, request metadata, user ID (no PII payload by default — PII flag is OFF) | US |
| Google Cloud / Google Sign-In DPA / Privacy | Optional sign-in via Google OAuth (only triggered when a user clicks 'Continue with Google') | Email address, Google account ID, name from Google profile | Global |
International data transfers
Where personal data is transferred outside the EEA, UK, or Switzerland to a jurisdiction without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (2021/914/EU), the UK International Data Transfer Addendum, or the EU-US Data Privacy Framework where the recipient is self-certified.
Contact
Questions about this list, our DPA, or a particular sub-processor: [email protected].