Reconciled engages the third parties listed below to deliver the Service. We have written agreements with each that impose confidentiality and security obligations consistent with POPIA. We update this page when we add or remove a sub-processor.
| Provider | Purpose | Location | Data categories | Safeguard |
|---|---|---|---|---|
| Anthropic, PBC | AI extraction of transactions from uploaded documents | United States | Bank statement contents, financial document contents | Anthropic Data Processing Addendum; data not used for model training |
| [HOSTING PROVIDER] | Application hosting and database storage | [REGION] | All application data | [DPA REFERENCE] |
| [EMAIL/SMTP PROVIDER] | Transactional email delivery (invitations, password resets, notifications) | [REGION] | Recipient email, name, message body | [DPA REFERENCE] |
| Google LLC (Google Tag Manager) | Website analytics — landing page only, after explicit consent | United States | IP address, browser identifiers, page views | Google Ads Data Processing Terms; loads only after user accepts cookie banner |
How we vet sub-processors
- Written DPA or equivalent contract before any data is shared
- Review of provider's security posture and POPIA / GDPR compliance posture
- Assessment of cross-border transfer safeguards (POPIA s.72)
- Annual review of the sub-processor list
Notification of changes
When we add a sub-processor that handles personal information, we will update this page and notify firm administrators by email at least 30 days before the change takes effect, where reasonably possible.
Contact
Questions about our sub-processors: hello@reconciled.co.za