Sub-Processors List
Last updated April 2026
This page lists the third-party sub-processors that Carbon Manufacturing Systems, Corp. ("Carbon") engages to support delivery of the Carbon platform. Carbon performs a security and privacy review of each sub-processor before engagement and reviews relationships at least annually. Customers are notified of material additions or changes, consistent with Carbon's Data Processing Addendum.
Scope: The sub-processors below apply to all Starter and Business subscriptions, as well as to Enterprise subscriptions with Carbon-managed hosting. Carbon is open-source and available for self-hosting; customers running Carbon on their own infrastructure under the Self-Hosted Commercial License operate the platform independently, and the sub-processors below do not apply to those deployments.
For questions about this list, contact support@carbon.ms.
Infrastructure & Hosting
| Sub-Processor | Purpose | Data Location | Website |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure for Carbon's commercial cloud | United States | aws.amazon.com |
| AWS GovCloud (US) | Isolated cloud infrastructure for ITAR/CUI workloads (ENT GovCloud customers only) | United States | aws.amazon.com/govcloud-us |
| Cloudflare | DNS, edge protection, DDoS mitigation, WAF | Global edge network | cloudflare.com |
Application Services
| Sub-Processor | Purpose | Data Location | Website |
|---|---|---|---|
| Supabase | Managed PostgreSQL database backend | United States | supabase.com |
| Redis Cloud | Managed Redis (caching, rate-limiting) | United States | redis.io |
| Inngest | Background job orchestration | United States | inngest.com |
Monitoring & Observability
| Sub-Processor | Purpose | Data Location | Website |
|---|---|---|---|
| Posthog | User metrics monitoring | United States | posthog.com |
Customer Communications
| Sub-Processor | Purpose | Data Location | Website |
|---|---|---|---|
| Resend (or Novu) | Transactional email delivery | United States | resend.com / novu.co |
| Slack | Internal Carbon team communications (no customer data stored) | United States | slack.com |
| Gmail (Google Workspace) | Carbon employee email, including correspondence with customers | United States | google.com/workspace |
Payments
| Sub-Processor | Purpose | Data Location | Website |
|---|---|---|---|
| Stripe | Payment processing for self-signup customers | United States | stripe.com |
Notes
- Customer data scope: Sub-processors above process customer data only as needed to deliver the Carbon platform and only under contractual confidentiality and data-protection obligations equivalent to Carbon's commitments to its customers.
- Sub-processor changes: Carbon will provide reasonable advance notice of any material change to this list (typically 30 days) so customers can object as provided in the DPA.
- AWS GovCloud customers: ITAR-controlled data and CUI for ENT GovCloud customers is processed exclusively in AWS GovCloud (US). The non-GovCloud sub-processors above (Datadog, Cloudflare, etc.) do not receive GovCloud customer data.
- Self-Hosted customers: Customers running Carbon under the Self-Hosted Commercial License operate the platform on their own infrastructure; the sub-processor list above does not apply to those deployments.
This list is incorporated by reference into Carbon's Data Processing Addendum (Schedule 1). It is provided for informational purposes; the executed DPA controls.
