Legal
Sub-processors
Vendors that process personal data on our behalf to operate Chalk. Each is bound by data-processing terms and may only act on our instructions.
We will update this page before adding or replacing a sub-processor. To be notified by email when this list changes, contact contactus@thinkerbelllabs.com.
| Sub-processor | Purpose | Data categories | Location | Safeguards |
|---|---|---|---|---|
| MongoDB (self-hosted or Atlas) | Primary database. Stores user accounts, notes, folders, library metadata, device pairings, and encrypted Google Drive refresh tokens. | Account data, notes, folders, library metadata, device records, encrypted OAuth refresh tokens. | Deployment-specific (e.g. local server in India, or a MongoDB Atlas region you configure). | Authentication required, encryption at rest on the data volume or Atlas M10+, Standard Contractual Clauses where applicable. |
| Redis | Short-lived cache and rate limiting for the Go API server. Holds per-IP request counters, session-version cache entries, and sync-trigger flags. | Client IP addresses in rate-limit keys; user identifiers in cache keys (session version number only, not note content). | Deployment-specific (e.g. co-located with the API server). | Automatic TTL expiry on all keys; no long-term storage of personal content. |
| Amazon Web Services (S3) | Temporary encrypted object storage for library files (.txt, .brf, .epub) queued for Tactera download until the device acknowledges receipt or the retention period expires. | Library file binaries and associated metadata keys (user and import identifiers in the object path). | Deployment-specific (e.g. ap-south-1 when configured for India). Required for File Transfer. | SSE-S3 (AES-256), private bucket, IAM least-privilege access from the Chalk API only, deletion on device ACK and scheduled purge. |
| Google LLC | OAuth identity provider and (optionally) Google Drive storage when the user connects Drive. | Email address, Google account ID, Drive file IDs, file contents that the user explicitly imports or exports. | Global Google infrastructure. | Google Cloud DPA, Standard Contractual Clauses. |
| Email delivery provider (SMTP, e.g. Mailgun) | Sends transactional email: sign-in one-time codes, magic links, Google sign-in verification codes, and (for legacy accounts) password-reset links. | Your email address and the content of the message (including a single-use code or link). Delivery logs may be retained by the provider per their policy. | Provider-dependent (configure region in your Mailgun or SMTP account). | TLS in transit, written data-processing terms where offered by the provider. |
| UserWay (optional) | In-browser accessibility widget when NEXT_PUBLIC_USERWAY_ACCOUNT is configured by the operator. | May process usage and accessibility-preference data per UserWay's policy. Loaded only in the web frontend. | United States (UserWay CDN). | Operator-controlled; widget can be disabled by leaving the account ID unset. |
| Hosting provider | Compute that serves the Next.js web frontend and the Go API server (and the internal braille translation sidecar). | All Chalk web and API traffic, including authentication cookies and API requests. Application data is persisted in MongoDB and S3, not on the compute host beyond ephemeral request handling. | To be confirmed per production environment. | Standard Contractual Clauses, TLS in transit. |
Sub-processor changes
Material changes to this list (adding a new vendor or replacing an existing one) will be announced at least 14 days in advance unless we are required to act sooner for security, legal, or business-continuity reasons.