Lookout

Subprocessors

Last updated: March 27, 2026. This list is illustrative for typical deployments of Lookout. Remove categories you do not use, add vendors specific to your stack, and link to their privacy or DPA pages where required.

1. How to use this page

Subprocessors (or “sub-processors”) are third parties that process personal data on our behalf to provide the Service. Customers who need a formal list for their vendor due diligence can rely on this page together with the Data Processing Agreement (template) and Privacy Policy. If you operate a self-hosted instance, replace this content with the providers you actually engage.

2. Infrastructure and application hosting

  • Compute and database: The cloud region or datacenter where the application and database run (for example AWS, Google Cloud, Azure, Fly.io, Laravel Cloud, or servers you control). Subprocessor identity and location should match your hosting contract and privacy disclosures.
  • Backups and object storage: If you store backups or assets with a separate vendor (for example S3-compatible storage), that provider may process data at rest according to its terms.

3. Email delivery

  • Transactional mail: Your configured mail provider (for example Postmark, Resend, Amazon SES, Mailgun, or SMTP) processes recipient addresses and message content for verification, invitations, alerts, and billing notices.

4. Payments

  • Stripe: When billing is enabled, Stripe, Inc. and its affiliates process payment data, billing portal activity, tax calculation when STRIPE_AUTOMATIC_TAX is enabled, and related fraud signals. Processing is governed by the Stripe Data Processing Agreement and services agreement you accept in the Dashboard.

5. Authentication (optional)

  • OAuth providers: If you enable social login, GitHub, Google, or other identity providers process authentication events and profile identifiers according to their respective terms and privacy policies.

6. Observability and error reporting (optional)

  • Monitoring this application: If you configure this instance to report its own errors or metrics to another product, that vendor may process stack traces, request metadata, and similar telemetry. See your Documentation and internal runbooks for variables such as ingest URL and API key.

7. Other subprocessors

Add any additional categories that apply to you: for example CDN/WAF, search, analytics, support ticketing, or SIEM. For each, name the vendor, describe the processing, and link to their trust or privacy documentation.

8. Changes

We may update this list when we add or replace subprocessors. We will post the revised page with a new “Last updated” date and, where our customer terms require it, notify affected customers in advance or offer a mechanism to object.

← Back to home Privacy Policy DPA Terms of Service