Trust & Security
Sub-processors
CoursePortify relies on the following third-party services ("sub-processors") to operate the platform. Each is contractually bound to confidentiality and to process data only on our documented instructions. We notify customers under signed Data Processing Addenda before we add a new sub-processor. This page is the canonical list and supersedes any earlier version embedded in our Privacy Policy.
Current sub-processors
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
|
Google Cloud Platform Google LLC (Mountain View, CA) Terms · Compliance |
Cloud Run (compute), Cloud Storage (uploads), Firestore (job metadata), Cloud Logging, Secret Manager | Account metadata, course content, job metadata, request logs, secrets at rest | United States (us-central1, us-east1) |
|
Clerk Clerk, Inc. (San Francisco, CA) DPA · Privacy |
Authentication, identity management, session token issuance | Email address, name, profile image URL, authentication credentials, session tokens, IP at sign-in | United States |
|
Stripe Stripe, Inc. (South San Francisco, CA) DPA · Privacy |
Payment processing, refunds, fraud detection, payout / billing | Payment-method details, billing address, transaction metadata; full card data is held by Stripe and never reaches CoursePortify | United States |
|
Google Vertex AI / Cloud Translation Google LLC DPA · Data governance |
Machine translation and quality evaluation via Gemini and Translation API | Course content excerpts submitted for translation or evaluation; not used to train general-purpose models | United States |
Cross-cutting commitments
- Each sub-processor is bound to written data-processing terms at least as protective as our own.
- None of our sub-processors are authorized to use customer content to train general-purpose models.
- Customer content is processed only in U.S. regions; we do not transfer course content outside the United States.
- For customers under signed DPAs, we will provide 30 days' notice before adding a new sub-processor that handles customer data.
Optional sub-processors (Enterprise tier only)
The following are not engaged by default; they are added only when an Enterprise customer signs an Order Form requesting the corresponding feature.
- Customer-managed encryption keys (CMEK) — keys are held in the customer's own Google Cloud KMS instance.
- SSO providers (Okta, Microsoft Entra ID, Google Workspace, etc.) — federated authentication targeting the customer's IdP under the customer's existing relationship with that IdP.
How we communicate changes
Material changes to this list are dated and announced. Where customers have signed our DPA, we provide written notice to the address on file at least 30 days before a new sub-processor handles customer data, unless an emergency change is required (in which case we notify as soon as is practicable).
Questions
Email contact@koneroanalyticsml.com with subject Sub-processor inquiry to request our DPA, raise a concern, or subscribe to sub-processor change notices.
Questions about this document? Email contact@koneroanalyticsml.com or visit our contact page.