Trust Center · Public

Sub-processors

The complete list of third-party services Ren uses to operate the product. Published publicly so security and procurement reviewers can confirm scope before requesting deeper materials. We notify customers in writing before adding or replacing a sub-processor that handles customer data.

Last updated: May 16, 2026 · Subscribe to changes: security@tryren.com

Amazon Web Services (AWS)

Purpose: Cloud hosting, compute, storage, secrets management, networking
Region: US (us-east-1), single region
Data handled: All Ren application data, encrypted at rest and in transit
Contract terms: AWS Customer Agreement + AWS DPA (SCCs included)

Anthropic

Purpose: Primary LLM inference for coaching synthesis and draft generation
Region: US
Data handled: Masked prompt content (PII removed before submission)
Contract terms: Anthropic Commercial Terms with zero-retention and no-training addendum

OpenAI

Purpose: Backup LLM inference and embedding model for retrieval
Region: US
Data handled: Masked prompt content (PII removed before submission)
Contract terms: OpenAI Enterprise Terms with zero-retention and no-training addendum

Pinecone

Purpose: Vector database for retrieval-augmented context
Region: US (AWS-hosted)
Data handled: Embedding vectors and associated metadata; no raw message content
Contract terms: Pinecone Customer Agreement + DPA (SCCs included)

LangSmith

Purpose: LLM observability and tracing for system reliability
Region: US
Data handled: Prompt/completion telemetry, sampled, with PII masked
Contract terms: LangChain Subscription Agreement with zero-retention configuration

Guardrails AI

Purpose: PII detection and masking engine (pre-LLM)
Region: US, runs in-VPC
Data handled: Inline data flow only; no persistence outside Ren's VPC
Contract terms: Guardrails commercial license; runs entirely on Ren infrastructure

Datadog

Purpose: Application performance and infrastructure observability
Region: US
Data handled: Operational metrics, traces, logs (scrubbed of PII before ingest)
Contract terms: Datadog Customer Agreement + DPA (SCCs included)

Okta / Auth0 (when used)

Purpose: Managed identity for SSO and SCIM provisioning
Region: US (customer choice for region)
Data handled: Authentication assertions and directory metadata only
Contract terms: Okta Master Subscription Agreement + DPA (SCCs included)

Resend

Purpose: Transactional email delivery (account, security, system notifications)
Region: US
Data handled: Email address and message body of system-generated emails only
Contract terms: Resend Terms of Service + DPA (SCCs included)

Cal.com

Purpose: Meeting scheduling for sales and customer success
Region: US (cloud), customer-controlled if self-hosted
Data handled: Meeting metadata and invitee email; no Ren application data
Contract terms: Cal.com Terms of Service + DPA (SCCs included)

How sub-processor changes work

Notice period: customers receive 30 days’ written notice before a new sub-processor handles customer data.
Right to object: customers may object in writing during the notice period. Where the change cannot be resolved, the customer may terminate the affected service.
DPA flow-down: every sub-processor that handles customer data is bound by terms substantially similar to the customer DPA, including SCCs for cross-border transfers.
LLM providers: Anthropic and OpenAI are contracted with zero-retention and no-training terms. PII is masked before content leaves the Ren VPC.

Read the DPA Request full security & architecture brief