← Back to Aura
Legal
Sub-processors
Last updated: 2026-05-14
Aura uses the third-party sub-processors listed below to deliver its services. Each sub-processor is bound by a written data processing agreement that imposes confidentiality, security, and limited-purpose processing obligations substantively equivalent to those Aura accepts under its own Data Processing Agreement with partner institutions.
Partner institutions are notified at least 30 days in advance of any material change to this list, as required by Section 4.1 of the Aura DPA. The notification mechanism is direct email to the Institution Primary Contact on file.
Supabase
SOC 2United States (AWS US-East)
Purpose · Primary PostgreSQL database, authentication storage, file storage for resume uploads.
Data handled · All Aura user records, including assessment responses, archetypes, scores, and advisor relationships.
Vercel
SOC 2United States
Purpose · Application hosting, serverless API functions, scheduled cron jobs, edge caching.
Data handled · Request/response logs (sanitized), function execution logs. No persistent storage of user data.
Anthropic
SOC 2United States
Purpose · AI inference (Claude) for assessment scoring, interview question generation, LinkedIn rewrites, resume review, 90-day plan generation, and job matching.
Data handled · Assessment content + archetype context, sent per-request. Anthropic does not use Aura API traffic to train models.
Stripe
SOC 2United States
Purpose · Subscription billing and payment processing for Aura+ and Accelerator tiers.
Data handled · Payment method tokens, billing email, subscription state. Stripe does not receive education-record content.
Resend
SOC 2United States
Purpose · Transactional email delivery (sign-in verification codes, advisor invitations, 90-day outcome follow-ups).
Data handled · Recipient email addresses, message subject and body.
Sentry
SOC 2United States
Purpose · Server-side error monitoring and alerting.
Data handled · Error stack traces and request context. User identifiers are one-way hashed (fingerprinted) before transmission, not stored as raw email.
Questions or concerns?
For questions about this list, our use of these sub-processors, or to request a copy of the executed agreement covering your institution, contact privacy@useaura.net.