A “sub-processor” is a third-party service that processes personal data on Defrost's behalf to deliver our product. Engaging sub-processors is essential to running a modern SaaS platform — but it deserves transparency.
Defrost requires every sub-processor to enter a written agreement at least as protective as our DPA. We notify customers 30 days in advance of material changes (new sub-processor, change in data location, change in purpose). Customers who object on reasonable grounds can terminate the affected service for the remainder of the billing period.
Current sub-processors
| Sub-processor | Purpose | Data location | Status |
|---|---|---|---|
| Anthropic | LLM inference (research, copy, classification) | United States | Live |
| AWS SES | Defrost-owned transactional email delivery from mail.defrostmail.com (account verification, billing receipts, team invites, digest, usage alerts) — primary system-mail transport since Plan 101-03 cutover | United States (us-east-1 primary; us-west-2 failover) | Live |
| Resend | Transactional system mail only (account auth, billing notifications). Customer cold/prospect mail does NOT route through Resend — it routes through your own OAuth'd mailbox (see OAuth pass-through providers below). Retained as emergency transactional fallback after Plan 109-01 retired the customer-key prospect path. | United States | Live |
| Postmark | Emergency system-mail failover transport (Phase 109 — invoked only if AWS SES is unavailable AND Resend cutover is in flight). System mail only — a runtime sentinel rejects any attempt to send customer/prospect mail via Postmark (Postmark TOS forbids cold outreach). | United States | Live |
| Mailreef | Managed outbound email transport for the premium managed-relay cold-outreach path (the sole cold-sending transport; per-customer DKIM isolation). Processes recipient name/address/email/phone + IP/connection metadata. Independent SOC 2 Type 2 (renewed annually); Art. 28 DPA in force (EU/UK SCCs + Swiss FADP + EU-US Data Privacy Framework); breach notice within 3 business days. Mailreef's own downstream vendors are governed by its DPA (Mailreef does not publish a separately enumerated sub-processor list). | United States (AWS) | Live |
| Dynadot | ICANN-accredited domain registrar + authoritative DNS for the managed-relay sending domains customers purchase through Defrost (domain registration, WHOIS, DNS record publication). Processes the registrant contact details a domain registration requires (name, organization, postal address, email, phone). | United States | Live |
| Supabase | Database, authentication, file storage | United States (US-East) | Live |
| Vercel | Hosting, edge runtime, CDN | Global edge network | Live |
| MillionVerifier | Email address verification | European Union | Live |
| ZeroBounce | Email address verification | United States | Live |
| NeverBounce | Email address verification | United States | Live |
| Stripe | Subscription billing, payment processing | United States | Coming soon |
OAuth pass-through providers (customer's own mailbox)
When you connect your own Gmail / Google Workspace or Microsoft 365 mailbox to Defrost, your prospect outreach is sent from your account, through your mailbox provider, under your provider's Terms of Service. Defrost holds an OAuth refresh token to schedule + send on your behalf, but the mail content never traverses a Defrost-owned transport. Your mailbox provider is the data processor of that prospect mail — not Defrost, and not a Defrost sub-processor. We disclose these providers here for full transparency anyway.
| Provider | Purpose | Customer relationship |
|---|---|---|
| Google (Gmail / Workspace) | Customer-mailbox send transport for prospect outreach when the customer connects a Gmail or Google Workspace account. | Mail leaves the customer's own Gmail account under Google's Terms of Service and the customer's own Workspace administrator policies. Defrost holds an OAuth refresh token to send on the customer's behalf; it does not store or relay the prospect mail content through any Defrost-owned transport. |
| Microsoft (Outlook / 365) | Customer-mailbox send transport for prospect outreach when the customer connects a Microsoft 365 or Outlook account. | Mail leaves the customer's own Microsoft 365 mailbox under Microsoft's Terms of Service and the customer tenant's admin policies. Defrost holds an OAuth refresh token; it does not relay prospect mail content through any Defrost-owned transport. |
What this means in practice: the bulk-sender rules from Gmail / Microsoft (RFC 8058 one-click unsubscribe headers, complaint-rate ceilings, opt-out honored within 48 hours, authenticated-from alignment) apply to youraccount, not to Defrost as a platform. Defrost enforces those rules client-side (we won't send if your configuration violates them), but ultimate compliance and account standing are between you and your mailbox provider.
Stripe (coming soon)
Stripe will be added as our payment-processing sub-processor when self-serve billing ships (target Q3 2026). Until then, Enterprise customers are billed via invoice without Stripe involvement.
Mailreef
Mailreef LLC (Philadelphia, PA, USA) is our managed outbound email transport for the premium managed-relay cold-outreach path — the sole transport for cold prospect mail, with per-customer DKIM isolation. As your sub-processor, Mailreef processes recipient contact data (name, postal address, email, phone) and IP/connection metadata on AWS infrastructure in the United States. Mailreef holds an independent SOC 2 Type 2 attestation (renewed annually) and an executed Article 28 DPAcovering EU/UK Standard Contractual Clauses, the Swiss FADP, and the EU-US Data Privacy Framework, with breach notification within three business days. Mailreef's own downstream vendors are governed by its DPA; Defrost discloses Mailreef as its sub-processor (not Mailreef's vendors). See mailreef.com/privacy.
Dynadot
Dynadot LLC(San Mateo, CA, USA; ICANN-accredited registrar IANA #472) is our domain registrar and authoritative DNS provider for the managed-relay sending domains you purchase through Defrost. To register a domain, Dynadot processes the registrant contact details ICANN requires — name, organization, postal address, email, and phone — and hosts the domain's DNS records (including the per-customer DKIM, SPF, MX, and DMARC records that authorize managed-relay sending). Dynadot processes this data in the United States under its registrar agreement and privacy policy. See dynadot.com/privacy.
EU/UK customers
Where personal data is transferred from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs Module 2: Controller to Processor) and/or the EU-US Data Privacy Framework. Agency-tier and Enterprise plans support EU data residency on request — email legal@defrostmail.com.
Questions or objections
Contact privacy@defrostmail.com. For the full privacy policy, see Privacy. For our DPA, see DPA.