Subprocessors
The Big Lease engages carefully vetted third parties to process Customer Data on our behalf. This page discloses the categories of subprocessors we rely on, per Data Processing Agreement § 4 and GDPR Article 28.
Detailed List — Under NDA
The specific vendor names, contractual posture, regional data residency, sub-subprocessor chain, and data-flow diagrams are provided to Enterprise Customers under a mutual non-disclosure agreement. Request: compliance@thebiglease.ai. Turnaround is typically one business day.
Core infrastructure
Hosting, data store, authentication
Cloud infrastructure (IaaS/PaaS)
PurposePrimary data store, authentication, row-level security, real-time subscriptions, server-side compute, edge CDN, back-end hosting
DataAll Customer Data, including account metadata, operational records, and encrypted PII
ComplianceSOC 2 Type II, ISO 27001, GDPR
Financial
Payments + tax
Payment processing
PurposePlatform-fee charges, subscription billing, Charter reservations, installment plans, credit notes, invoice settlement
DataName, email, billing address; card tokenized at point of entry (PANs never touch our infrastructure)
CompliancePCI DSS Level 1, SOC 1 + 2 Type II, ISO 27001
Sales/use tax calculation (optional)
PurposeUS state sales-tax lookup + remittance filing assistance
DataTransaction value + destination jurisdiction
ComplianceSOC 1 + 2 Type II
Agreements
Electronic signature
Electronic signature
PurposeBilateral lease envelope workflow, completion webhooks, legal-grade signature timestamps
DataSigner name, email, contract PDF; IP + device fingerprint at signature time
ComplianceSOC 1 + 2 Type II, ISO 27001, eIDAS + ESIGN Act + UETA
Intelligence
AI + language-model inference
AI language-model inference
PurposeAI-Advisor orchestration, War Room mediation framing, matching explanations, counterpart intelligence, document review
DataDe-identified deal metadata; no PII, no full contract text; zero-retention + zero-training enabled
ComplianceSOC 2 Type II
Operations
Email, monitoring, uptime
Transactional email
PurposeAccount lifecycle emails (welcome, password reset, magic-link sign-in, Charter confirmation, envelope invites, renewal notices)
DataRecipient email, subject line, body content; no payment or identity data
ComplianceSOC 2 Type II, GDPR
Error tracking + application performance monitoring
PurposeException capture, stack traces, performance spans
DataRequest metadata with PII scrubbing (emails, phones, SSNs, card numbers, auth tokens removed before transmission)
ComplianceSOC 2 Type II, ISO 27001, GDPR
Uptime monitoring + public status page
PurposeExternal probes from geographically distributed locations; SLA-credit pipeline data feed
DataPublicly reachable URLs only; no Customer Data
ComplianceSOC 2 Type II
On the roadmap
Planned categories (30-day Enterprise notice before production)
Identity verification (KYC)
PurposeGovernment ID capture, selfie biometric match, OFAC/sanctions + PEP screening, optional business entity verification
DataGovernment ID image, liveness video, date of birth; per-request, not retained on our servers
ComplianceSOC 2 Type II
Distributed rate limiting + ephemeral cache
PurposePer-IP and per-user rate limits on public endpoints
DataIP, route, timestamp; 15-minute sliding window
ComplianceSOC 2 Type II (in progress)
Compliance automation platform
PurposeSOC 2 observation + ongoing evidence collection; questionnaire automation
DataEmployee access metadata, security policy attestations
ComplianceSOC 2 Type II
Primary data residency is the United States. EU/UK/APAC residency is available under Enterprise plans; request at the Order Form stage. Cross-border transfers of Personal Data from the European Economic Area, United Kingdom, and Switzerland rely on the EU-U.S. Data Privacy Framework (where the subprocessor is certified) or Standard Contractual Clauses. A signed copy of our DPA, SCCs, and subprocessor detail list is available on request.
Subprocessor change notifications, DPA requests, and audit correspondence: compliance@thebiglease.ai