This page lists the third parties that Document Blueprint engages to Process Customer Data on behalf of our customers, as referenced in Annex III of our Data Processing Agreement.
We commit to providing at least 30 days' written notice — by email or by updating this page — before adding or replacing a Sub-processor that Processes Personal Data. See Data Processing Agreement, Section 5 for the full notification and objection process.
Google LLC provides multiple distinct services to Document Blueprint. Each is listed separately below.
Use: Application hosting (Firebase App Hosting), database (Firestore), authentication (Firebase Auth), file storage (Cloud Storage), serverless functions (Cloud Functions), encryption key management (Cloud KMS), background tasks (Cloud Tasks), and operational logging (Cloud Logging). Categories of data processed: All Customer Data — at rest and in transit. Hosted in: United States (default Firebase region; data may transit other Google data centers). Public reference: cloud.google.com/security/compliance · Google Cloud DPA
Use: AI-assisted extraction of structured values from Customer-provided documents. Categories of data processed: Document content, extracted values, and extraction prompts during AI runs. Per Google's API terms, prompts and responses to the Gemini API are not used for model training and are not retained beyond the request lifecycle. Hosted in: United States. Public reference: ai.google.dev/gemini-api/terms
Use: Workspace address geocoding (Geocoding API) and map tile rendering (Maps JavaScript API) for the dashboard map view. Categories of data processed: Workspace addresses configured in workspace settings (not full Customer Data — only address fields). Hosted in: United States. Public reference: cloud.google.com/maps-platform/terms
Use: OAuth-gated access to user-granted Google Drive files, Gmail messages, and Calendar events for ingestion and scheduling features. Categories of data processed: Files, emails, and calendar events the user has explicitly OAuth-granted Document Blueprint to access. Hosted in: United States. Public reference: developers.google.com/terms/api-services-user-data-policy
Use: Bot detection on public endpoints (login, signup, contact forms). Categories of data processed: IP address, device fingerprint, and interaction patterns at form-submission time. Hosted in: United States. Public reference: cloud.google.com/recaptcha-enterprise
Use: Usage analytics (page views, feature interaction events). Loaded only when the visitor grants analytics-cookie consent, per our Cookie Policy. Categories of data processed: Anonymized usage events. Does not include Customer Data. Hosted in: United States. Public reference: tools.google.com/dlpage/gaoptout
Use: Subscription billing, payment processing, and webhook-driven plan management. Categories of data processed: Customer billing email, subscription state, plan/seat counts. Card data goes directly from the customer's browser to Stripe via Stripe-hosted payment elements and never touches Document Blueprint servers. Hosted in: United States. Public reference: stripe.com/legal/dpa
Use: Outbound email delivery for team invitations, collaborator invitations, and billing notices (welcome, receipt, cancellation). Categories of data processed: Recipient email addresses and email body content (which includes the inviter's name and workspace name in invitation emails). Hosted in: United States. Public reference: twilio.com/en-us/legal/data-protection-addendum
We will provide at least 30 days' written notice before adding or replacing any Sub-processor that Processes Personal Data. Notice may be given by email or by updating this page. See the Data Processing Agreement, Section 5 for the full notification process.
If you have a reasonable data-protection objection to a Sub-processor change, contact us at privacy@documentblueprint.com within 30 days of notice. The objection process is described in Data Processing Agreement, Section 5.