Sub-processors

Last updated: May 24, 2026

tryugcai engages the third-party sub-processors listed below to deliver the Service. We sign Data Processing Addenda (DPAs) with each vendor and remain liable for their acts and omissions under our customer-facing DPA. A copy of our customer DPA is available on request to [email protected].

We notify customers at least 30 days in advance of any new sub-processor or material change to this list. To receive notifications, ensure your account email is current in Settings.

Sub-processorPurposeData categoriesRegion
Railway
DPA / Privacy
Application hosting (API, web app, BullMQ worker, managed Postgres and Redis)All application data: user accounts, video metadata, job queue payloads, request logsus-east (Railway Metal)
AWS S3
DPA / Privacy
Object storage for uploaded assets and rendered video filesWorkspace ID, video files, uploaded product images, reference video filesus-east-1
Cloudflare
DPA / Privacy
DNS, edge proxy, DDoS protection, TLS termination for tryugcai.comConnection metadata (IP address, user-agent, request path)Global edge
Stripe
DPA / Privacy
Payment processing, subscription billing, invoicingEmail, billing address, payment method (card details remain in Stripe's PCI scope and never touch our servers), Stripe customer IDUS (multi-region)
OpenAI
DPA / Privacy
Script/copy generation, product still + scene image generation (gpt-image-2), brief content moderation (Moderation API), transcription (Whisper)Submitted brief text, generated script, uploaded product/reference images, audio for transcriptionUS
Anthropic
DPA / Privacy
Script and shot-list planning, and automated clip quality review (Claude models)Submitted brief text, generated script, sampled video frames for quality checksUS
Fal.ai
DPA / Privacy
Avatar lip-sync, image-to-video motion, and product/scene image generation (routes to Kling AI-Avatar, Seedance, Flux, and Nano Banana models)Uploaded product/reference image (signed URL), prompt text, generated image + MP4 filesUS
Pexels
DPA / Privacy
Stock video b-roll searchSearch keywords only — no user PII transmittedMulti-region (CDN)
Resend
DPA / Privacy
Transactional email delivery (verify email, password reset, account-deletion notices, new-device security alerts)Recipient email address, email subject and bodyAP-Northeast-1 (Tokyo)
PostHog
DPA / Privacy
Product analytics (aggregated funnel events for product improvement)Workspace ID, anonymized event metadata, IP-derived geolocation (country only)US (us.i.posthog.com)
Sentry
DPA / Privacy
Application error tracking and performance monitoringError stack traces, request metadata, user ID (no PII payload by default — PII flag is OFF)US
Google Cloud / Google Sign-In
DPA / Privacy
Optional sign-in via Google OAuth (only triggered when a user clicks 'Continue with Google')Email address, Google account ID, name from Google profileGlobal

International data transfers

Where personal data is transferred outside the EEA, UK, or Switzerland to a jurisdiction without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (2021/914/EU), the UK International Data Transfer Addendum, or the EU-US Data Privacy Framework where the recipient is self-certified.

Contact

Questions about this list, our DPA, or a particular sub-processor: [email protected].