Snap2Deploy uses a small number of third-party service providers (“subprocessors”) to operate the service. Each is bound by a written data-processing or equivalent agreement requiring them to protect your data and use it only on our instructions.
This page is the canonical, current list. Our Data Processing Agreement incorporates this list by reference; our Privacy Policy mirrors it.
Notification of changes
We will give organization owners at least thirty (30) days’ notice before adding or replacing a subprocessor, by updating this page (the “Last updated” date above will change) and emailing the address on file for the organization owner. If your organization reasonably objects to a new subprocessor on data-protection grounds, contact legal@snap2deploy.com and we will discuss in good faith.
To receive subprocessor change notifications proactively rather than waiting for the next email, subscribe at security@snap2deploy.com.
Current subprocessors
| Provider | Purpose | Data | Region | Security |
|---|---|---|---|---|
| Vercel, Inc. | Application hosting, edge delivery, and object storage (Vercel Blob) for uploaded installer artifacts. | Account data, audit log entries, request logs, installer binaries (in object storage). | United States | vercel.com/security |
| Neon, Inc. | Managed Postgres database hosting (primary application database, including continuous backup with point-in-time recovery). | Account data, organization metadata, encrypted integration credentials, package metadata, audit log entries, billing identifiers. | United States | neon.tech/security |
| Stripe, Inc. | Payment processing and subscription management. Snap2Deploy never sees, stores, or processes card numbers. | Billing email, Stripe customer and subscription identifiers. Card data is processed and held by Stripe directly. | United States | stripe.com/privacy |
| Resend, Inc. | Transactional email delivery (account verification, invitations, billing notices, Auto-Pilot alerts). | Recipient email address, sender, subject, and email body for transactional messages. | United States | resend.com/security |
| Chronicle (VirusTotal), Google | Reputation scanning of uploaded installers. We send only the SHA-256 hash to VirusTotal and read back aggregate antivirus results — file bytes never leave Snap2Deploy infrastructure. | SHA-256 hashes of installer files. No file contents, no customer identity, no tenant metadata. | United States | docs.virustotal.com/docs/security |
What we do not use
For the avoidance of doubt and because the question comes up:
- No third-party AI / LLM providers are in Snap2Deploy’s runtime path today. Silent-install switch detection runs against public winget manifests and a local heuristic library — not against an external model. See /security/ai. If we add an LLM provider in the future, it will be listed here first, with at least 30 days’ advance notice.
- No analytics or marketing tracking subprocessors. Snap2Deploy does not embed Google Analytics, Mixpanel, Segment, PostHog, Hotjar, Facebook Pixel, or similar tracking tools on the application. The only network calls from the application are to our own backend and to the four providers listed above.
- No customer-data transfers to advertising networks. We have no advertising partners.
Customer-side integrations (not subprocessors)
When you connect Microsoft Intune or Jamf Pro to Snap2Deploy, the Service transmits packages and deployment configuration that you have authored to your own Intune or Jamf tenant on your behalf, using credentials you supplied. Microsoft and Jamf are your service providers in that flow, not ours, and are not subprocessors of Snap2Deploy.
Questions
For questions about this list or to request advance notification of subprocessor changes, contact legal@snap2deploy.com.