In short: FaithBase is built on a modern, widely-adopted stack — including Convex, Vercel, OpenRouter, and WorkOS — with core infrastructure independently audited to SOC 2 Type II (and ISO 27001 for hosting and cloud infrastructure); per-vendor certifications are listed below. Retention is purpose-bound, and every subprocessor that processes your content or end-user data supports deletion — by request or via automatic retention windows.
This page identifies third-party vendors that FaithBase uses to provide, secure, observe, support, and improve the FaithBase platform. Some vendors process Client Data or Personal Data as subprocessors. Others are customer-authorized integrated services that FaithBase connects to only when a customer enables a feature or imports content from that service.
Use of a vendor may vary by environment, feature, customer configuration, and subscription tier. FaithBase reviews vendors for appropriate security, privacy, and contractual safeguards before production use. Each subprocessor that processes personal data on FaithBase's behalf does so under a Data Processing Agreement, incorporating Standard Contractual Clauses for international transfers where applicable. Enterprise customers may request current vendor security documentation, data processing terms, and relevant compliance reports through their FaithBase contact.
Compliance certifications shown below are as published by each vendor and apply according to each provider's certified scope.
Processing Categories
- Core platform processing: hosting, database, storage, authentication, billing, and platform operations.
- AI processing: prompts, responses, retrieved context, embeddings, model metadata, latency, token counts, and quality/evaluation data.
- Operational logging: application logs, traces, request identifiers, error metadata, and debugging records. Operational logs may contain prompt, response, or retrieved-context content when logging is configured for debugging, quality review, support, security, or abuse prevention.
- Support processing: support requests, issue descriptions, screenshots, customer/account metadata, and related internal support communications.
- Customer-authorized source ingestion: content fetched from customer-selected websites, uploaded documents, YouTube channels/videos, or similar sources.
FaithBase does not sell Client Data, does not share Client Data for cross-context behavioral advertising, and does not permit any model provider to train on Client Data. All model APIs are used under non-training terms. Some vendors may retain data for limited service, security, abuse-monitoring, support, legal, or operational purposes under their published terms or applicable agreements.
Core Subprocessors
| Vendor | Purpose | Data processed | Compliance & retention |
|---|---|---|---|
| Vercel Inc. | Hosting, serverless functions, deployment, edge/network, runtime logs. | Account data, platform traffic, chat/API requests, deployment & runtime logs. | SOC 2 Type II; ISO/IEC 27001:2022. Compliance |
| Convex, Inc. | Database, file storage, vector/search, backend functions, realtime sync, backups. | Client content, knowledge-base material, conversations, messages, leads, prayer requests, embeddings. | SOC 2 Type II; hosted on AWS. Primary datastore for customer export & deletion. Security |
| Amazon Web Services, Inc. | Underlying cloud infrastructure for the providers above, and direct use where applicable. | Infrastructure-hosted app data, backups, logs, operational metadata. | SOC 1/2/3; ISO/IEC 27001, 27017, 27018. Compliance |
| WorkOS, Inc. | Authentication, SSO, org management, RBAC, and session/identity flows. | Admin identity, org membership, and authentication/session metadata. | SOC 2 Type II; GDPR & CCPA; annual third-party penetration tests. Security |
AI and Model Processing
| Vendor | Purpose | Data processed | Compliance & retention |
|---|---|---|---|
| OpenRouter, LLC | AI model routing, chat completions, embeddings, provider selection, optional input/output logging. | Prompts, responses, retrieved context, embeddings inputs, model metadata, token counts, latency, and prompt/completion logs. | FaithBase routes models through OpenRouter without Zero Data Retention routing. Prompt/completion logs are retained for at least 3 months and can be deleted on request to OpenRouter. Downstream provider retention is governed separately. Privacy & Logging |
| OpenAI, L.L.C. | AI model provider, direct or via OpenRouter where OpenAI models are selected. | Prompts, responses, retrieved context, model inputs/outputs, usage metadata. | Data not used for model training, but retained up to 30 days for abuse monitoring. FaithBase does not employ Zero Data Retention. Enterprise Privacy |
| Anthropic, PBC | AI model provider, direct or via OpenRouter where Anthropic models are selected. | Prompts, responses, retrieved context, model inputs/outputs, usage metadata. | API inputs/outputs are not used for model training. Auto-deleted within 30 days. Data retention |
| Google Cloud Vertex AI / Gemini | AI model provider where Gemini/Google models are selected via Vertex AI or a routed endpoint. | Prompts, responses, retrieved context, model inputs/outputs, usage metadata. | Customer data is not used to train Google models. Prompts may be logged for abuse monitoring; temporary retention in some Vertex scenarios (context caching, batch outputs, tuning artifacts, Live API resume). Data governance |
| Gloo, LLC | Optional AI/content APIs and faith-aligned AI services where configured. | Customer-selected content, prompts, responses, and AI API request/response data. | Secure data controls and guardrails per Gloo AI documentation. Use is feature-dependent. Security |
| ElevenLabs, Inc. | Optional voice chat / speech engine features where enabled. | Voice-session metadata, audio/transcript content, generated speech, usage metadata. | SOC 2 Type II available to enterprise on request; enterprise Customer Content deleted within 30 days of termination; Zero Retention Mode available for certain products. DPA |
Observability, Support, and Operations
| Vendor | Purpose | Data processed | Compliance & retention |
|---|---|---|---|
| Axiom, Inc. | Observability, logging, tracing, diagnostics, monitoring, and incident response. | Application logs, trace IDs, request metadata, errors, performance data; prompt/response snippets if FaithBase logs them for debugging. | SOC 2 Type II; encryption at rest & in transit; security program aligned with ISO 27001. Retention per configured Axiom dataset settings. Security |
| Resend, Inc. | Transactional email delivery and templates where configured. | Email addresses, message metadata, transactional email content. | SOC 2 Type II; GDPR; encryption at rest & in transit; production backups retained 30 days. Security |
| Asana, Inc. | Internal support ticket routing, issue tracking, attachments, and task management. | Support descriptions, issue metadata, account context, screenshots/attachments submitted via support flows. | Security & compliance per Asana Trust Center. Retention per FaithBase support operations. Trust Center |
| Slack Technologies, LLC | Internal support notifications and operational communications where configured. | Support summaries, links to support tasks, account metadata, operational alerts. | ISO/IEC 27001 and SOC materials published. Limited to operational/support workflows. Compliance |
Customer-Authorized Source and Content Integrations
These services are used only when a customer enables the relevant feature, connects the service, or directs FaithBase to ingest content from that source.
| Vendor / service | Purpose | Data processed | Compliance & retention |
|---|---|---|---|
| Firecrawl, Inc. | Website crawling and scraping for customer-directed knowledge-base ingestion. | Customer-submitted URLs, public website page content, crawl/scrape results. | Ingested content is stored in FaithBase-controlled systems after processing. Vendor security docs available on request. |
| Google LLC / YouTube API Services | YouTube metadata, public video/channel inventory, transcript workflows, embedded video metadata. | Public YouTube URLs, video/channel metadata, transcript text where available, usage metadata. | Subject to the YouTube API Services Developer Policies and Google user-data requirements. Developer Policies |
AI Logging and Sensitive Data Handling
FaithBase may log prompts, responses, retrieved context, and related AI metadata in FaithBase-controlled systems and configured subprocessors, including Convex, Axiom, and OpenRouter, for service operation, debugging, quality evaluation, abuse prevention, security, and support.
Sensitive data may be included if a Client or End User submits it to an AI agent or source-ingestion workflow. Examples include religious affiliation or belief, prayer requests, pastoral-care context, health-adjacent details, family circumstances, children/youth ministry context, financial hardship, immigration/legal concerns, abuse, self-harm, crisis, or safety disclosures.
FaithBase handles sensitive data by:
- limiting use to providing, securing, supporting, and improving the Services;
- restricting access to authorized personnel and authorized customer administrators;
- prohibiting sale, advertising use, or model-provider training on Client Data;
- supporting active-system export and deletion workflows;
- allowing residual copies in backups, security logs, observability systems, and subprocessors to expire under documented retention periods;
- supporting additional logging restrictions or provider-routing restrictions for enterprise customers where commercially and technically available.
Deletion and Retention Notes
- Active FaithBase application records: FaithBase can locate records using organization ID, agent ID, conversation ID, visitor identifier, timestamps, and related metadata to support access, export, and deletion requests.
- Operational logs and traces: Logs may be retention-bound rather than instantly hard-deleted, depending on the system and configured retention window.
- Backups: Backup data may persist until the applicable backup-retention period expires and is isolated from ordinary processing.
- OpenRouter logs: If FaithBase has enabled OpenRouter Input & Output Logging, FaithBase can request deletion of stored prompt/completion logs through OpenRouter support. This does not automatically delete downstream provider abuse/security logs.
- Model-provider logs: Downstream providers such as OpenAI, Anthropic, and Google Vertex AI retain data according to their own API/cloud terms and feature configuration.
- Billing/legal records: FaithBase and its payment processor may retain billing, tax, fraud, dispute, security, or legal records where required or permitted by law.
Infrastructure Certification References
FaithBase relies on Vercel, Convex, and AWS for core hosting, application, database, storage, and infrastructure (see Core Subprocessors above for certification levels). Supporting certificate references:
- Vercel: ISO/IEC 27001 certificate no. 1868222-3, listed in the Schellman certificate directory.
- AWS: SOC and ISO reports via AWS Artifact; ISO/IEC 27017:2015 certificate no. 2015-015 available as a public PDF.
- Convex: SOC 2 Type II, hosted on AWS — see Convex Platform Security.