Changelog

Subprocessor list extracted from Airtable's published page (airtable.com/company/subprocessors, vendor-dated March 31, 2026): 22 third-party subprocessors (core infrastructure, in-product AI, and support/service providers) plus 3 Formagrid affiliates.

Verification pass: SOC 2 Type II, ISO 27001:2022 (public certificate PDF), ISO 27701, HIPAA, and TX-RAMP Level 2 confirmed against Airtable's trust page. Security page URL corrected to /company/trust-and-security; subprocessors list and DPA links added.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Subprocessor list extracted from Anthropic's trust center (trust.anthropic.com/subprocessors, fetched 2026-06-10): 18 subprocessors. Notable: three hyperscalers (GCP, AWS, Azure) plus Palantir Federal Cloud Service for Claude for Government, ElevenLabs for voice mode, and Brave Search/TurboPuffer powering web search.

Vendor added with a verified initial snapshot: SOC 2 Type II, ISO 27001:2022, ISO/IEC 42001:2023, and HIPAA BAA availability confirmed against Anthropic's Privacy Center certification article (fetched 2026-06-10). DPA confirmed at anthropic.com/legal/data-processing-addendum. Trust portal (trust.anthropic.com) is JS-rendered — Vanta-hosted; subprocessor list extraction pending.

Verification pass: SOC 2 Type II, ISO 27001:2022 (plus 27017/27018/27701), HIPAA, and CSA STAR Level 1 confirmed against Asana's trust page. Status page and EU/AU/JP data residency recorded; trust center corrected to security.asana.com.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Vendor added with a verified initial snapshot: SOC 2 (Coalfire-audited, cloud products), ISO/IEC 27001:2022 with ISO 27018 extension, and FedRAMP Moderate (Jira, Confluence, JSM) each confirmed against Atlassian's dedicated compliance resource pages (fetched 2026-06-10). PCI DSS kept as reported only — the logo appears on the compliance page without a linked resource. The full 34-item compliance resource list is JS-filtered; remaining certifications can be verified individually later.

Vendor added with a verified initial snapshot: SOC 1 and SOC 2 Type II confirmed against bamboohr.com/security (fetched 2026-06-10). No ISO certifications claimed on the page. Cloud provider not named publicly; hosting regions recorded as US/Canada/Ireland.

Verification pass: SOC 2 Type II (plus SOC 3), ISO 27001, and CSA STAR Level 1 confirmed against Calendly's security page. Whistic trust profile added; PCI compliance is via payment processor Chargebee, not Calendly itself.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Vendor added with a verified initial snapshot: SOC 2 Type II, ISO 27001/27017/27018/27701, ISO/IEC 42001:2023, FedRAMP High (Datadog for Government), PCI DSS, HIPAA, CSA STAR, TISAX, and IRAP confirmed against Datadog's SafeBase Trust Center compliance list and press release (fetched 2026-06-10). DORA, GDPR, and CCPA shown on the trust page are legal/regulatory frameworks, not certifications — excluded.

Vendor added with a verified initial snapshot: SOC 1, SOC 2, SOC 3, and ISO 27001 confirmed against Deel's security page (deel.com/security, fetched 2026-06-10), which also documents EU-only AWS hosting (Ireland primary, France DR). SOC type levels (I vs II) not stated on the page — listed as published. Trust center (trust.deel.com, SafeBase) is JS-rendered; report-level detail pending.

Vendor added with a verified initial snapshot: SOC 1/2 Type II, ISO 27001:2022 (+27017/27018), PCI DSS v4.0, BSI C5 Type II, FedRAMP Agency authorization (Docusign Federal) with GovRAMP and DoD IL4, IRAP PROTECTED, eIDAS QTSP status (Docusign France), and CSA STAR confirmed against DocuSign's certifications page (docusign.com/trust/compliance/certifications, fetched 2026-06-10).

Verification pass: SOC 2 Type II (plus SOC 1/SOC 3), ISO 27001/27018 (plus 27017/27701/22301), CSA STAR Level 2, and HIPAA support confirmed against Dropbox's compliance page, Trust Center, and the CSA STAR registry.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Verification pass: SOC 2 Type II, ISO 27001:2022, FedRAMP authorization, C5, and TISAX confirmed against Figma's security page, Trust Center, and the FedRAMP marketplace. Trust Center URL added.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Removed an incorrect subprocessors URL recorded at vendor-add: the SafeBase itemUid pointed at Datadog's trust-center subprocessors item, not Freshworks'. Freshworks' subprocessor list location is still to be confirmed.

Vendor added with a verified initial snapshot: SOC 1 Type II, SOC 2 Type II, SOC 3, ISO 27001:2022, ISO 27701:2019, CSA STAR Level 1, PCI DSS v4.0.0, and Cyber Essentials/Plus confirmed against trust.freshworks.com (fetched 2026-06-10).

Vendor added with a verified initial snapshot: SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2022, CSA STAR Level 2, and a PCI DSS Attestation of Compliance confirmed against GitHub's published compliance-reports documentation (docs.github.com, fetched 2026-06-10). The main GitHub Trust Center delegates product detail to two Vanta-hosted trust portals (copilot.github.trust.page, ghec.github.trust.page) which are JS-rendered — deeper extraction pending.

Vendor added with a verified initial snapshot: SOC 1 Type II, SOC 2 Type II, ISO 27001:2022, ISO 27701:2019, and ISO 42001:2023 confirmed against greenhouse.com/security (fetched 2026-06-10). PCI DSS kept as reported — scope unclear on the page.

Correction: removed ISO 27001 from HubSpot's certifications. HubSpot's security page attributes ISO 27001 to its cloud infrastructure providers (AWS), not to HubSpot itself, and HubSpot publishes no ISO 27001 certificate of its own. SOC 2 Type II confirmed; EU (Frankfurt) data residency and AWS US-East hosting verified.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Verification pass: SOC 2 Type II, ISO 27001:2022 (plus 27018/27701/42001), HIPAA attestation, and HDS confirmed against Intercom's compliance documentation article. www.intercom.com/security now redirects to the Vanta-hosted trust center at trust.intercom.com; security page URL updated to the persistent help-center article.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Vendor added with a verified initial snapshot: SOC 2 Type II (Schellman), ISO 27001 (issued to parent Employ Inc.), and CSA CAIQ confirmed against lever.co/security (fetched 2026-06-10). Lever has been part of Employ Inc. — certifications are held at the Employ level.

Verification pass: SOC 2 Type II, ISO 27001:2022, and HIPAA BAA availability confirmed against Linear's security page. Trust center (trust.linear.app), DPA link, and EU/US multi-region hosting recorded.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Verification pass: SOC 2 Type II (plus SOC 1/SOC 3), ISO 27001:2022 (plus 27017/27018/27032/27701), HIPAA BAA, and TX-RAMP confirmed against monday.com's trust center. Compliance documents are gated behind trust.monday.com.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Verification pass: SOC 2 Type II, ISO 27001 (plus 27701/27017/27018), HIPAA configurability, and BSI C5 confirmed against Notion's published security page. Cloudflare added as infrastructure partner alongside AWS.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Removed an incorrect subprocessors URL recorded at vendor-add: the SafeBase itemUid pointed at Datadog's trust-center subprocessors item, not OpenAI's. OpenAI's subprocessor list location is still to be confirmed.

Vendor added with a verified initial snapshot: SOC 2 Type II, SOC 3, ISO 27001/27017/27018/27701, ISO 42001, CSA STAR, FedRAMP 20x, TX-RAMP, and scoped PCI DSS confirmed against trust.openai.com (fetched 2026-06-10). HIPAA listed as reported only.

Vendor added with a verified initial snapshot: SOC 1/SOC 2 Type II, public SOC 3, CSA STAR Level 2, ISO 27001, ISO 27018, and ISO 42001 confirmed against rippling.com/trust/security (fetched 2026-06-10).

Verification pass: SOC 2 Type II, ISO 27001, and FedRAMP Moderate confirmed against Slack's published security page and the FedRAMP marketplace. ISO 27017/27018/27701/42001 also observed.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.

Vendor added with a verified initial snapshot: PCI DSS Service Provider Level 1, SOC 1/SOC 2 Type II, public SOC 3, EMVCo Terminal certification, and US Data Privacy Framework participation confirmed against Stripe's security documentation (docs.stripe.com/security, fetched 2026-06-10). NIST CSF alignment noted on the page but excluded as it is a framework alignment, not a certification.

Vendor added with a verified initial snapshot: SOC 2 Type I/II, ISO/IEC 27001:2013, ISO 27017, ISO 27018:2019, PCI DSS Level 1 & 4, HIPAA-eligible product list, and EU Binding Corporate Rules confirmed against Twilio's security page (twilio.com/en-us/security, fetched 2026-06-10). The trust portal (security.twilio.com / trust.twilio.com) requires access requests for report downloads.

Vendor added with a verified initial snapshot: SOC 1/2 Type II, public SOC 3, ISO 27001/27017/27018/27701, ISO 42001, FedRAMP Moderate (Workday Government Cloud), HIPAA attestation, Cyber Essentials Plus, TX-RAMP L2, and TISAX confirmed against Workday's compliance page with direct certificate PDFs (fetched 2026-06-10). Status dashboard requires a Workday Community login.

Vendor added with a verified initial snapshot: SOC 2, ISO 27001/27017/27018/27701, ISO 42001 (scoped), FedRAMP Li-SaaS, TX-RAMP Level 2, ISMAP, HIPAA, and HDS confirmed against Zendesk's products-in-scope compliance article (fetched 2026-06-10). Main trust center is JS-rendered; the support-center article is the stable source.

Subprocessor list extracted from Zoom's published subprocessors page (zoom.com/en/trust/subprocessors): 21 authorized subprocessors plus Stripe for Zoom Events. Notable: four AI 'Intelligent Features' providers (Anthropic, OpenAI, Perplexity, Suki AI) plus Eleven Labs and Microsoft Azure AI Speech.

Verification pass: SOC 2 Type II, ISO 27001, FedRAMP Moderate (Zoom for Government), CSA STAR Level 2, and BSI C5 confirmed against Zoom's compliance page, each with a dedicated source page.

Vendor added to StackPosture — initial snapshot from published trust documentation. Verification pass pending.