Sub-processors

Last updated: May 1, 2026

BrikMate uses a small set of trusted third-party service providers ("sub-processors") to deliver its lease-administration product. This page lists every sub-processor that processes BrikMate Customer Data (as defined in the BrikMate Terms and Conditions) and, for transparency, the operational vendors that do not.

Last reviewed: May 1, 2026.

What we mean by Customer Data

Customer Data is data uploaded to BrikMate by you or your authorized users, primarily lease documents (PDF, Word, image) and any extracted lease information (rent schedules, options, parties, escalations, etc.) generated from those documents. It also includes the email addresses of users we send transactional notifications to.

Customer Data sub-processors

The following sub-processors process Customer Data on BrikMate's behalf. Each has a Data Processing Agreement (DPA) on file with BrikMate that mirrors BrikMate's commitments to customers.

Render Services, Inc. (render.com)

  • Purpose: Application hosting and managed PostgreSQL
  • Data processed: All Customer Data stored in BrikMate's primary database (lease abstracts, extracted fields, metadata, application change log)
  • Region: United States (us-east-1)

Amazon Web Services, Inc. (aws.amazon.com)

  • Purpose: Object storage (S3) for original Customer documents and abstract exports; cloud audit logging (CloudTrail)
  • Data processed: Customer-uploaded lease documents, generated Excel abstracts, S3 access logs
  • Region: United States (us-east-1)

Datadog, Inc. (datadoghq.com)

  • Purpose: Application logs, APM, real-user monitoring
  • Data processed: Application-level logs that may include org_id and request metadata. Document content is not sent to Datadog.
  • Region: United States (us1)

Doppler, Inc. (doppler.com)

  • Purpose: Application runtime secrets management
  • Data processed: Secret material (API keys, signing keys) used by the BrikMate application to access its own infrastructure and downstream sub-processors. No Customer Data passes through Doppler.
  • Region: United States

GitHub, Inc. (a Microsoft subsidiary) (github.com)

  • Purpose: Source-code management, CI/CD, audit logging
  • Data processed: BrikMate source code; CI test fixtures (synthetic only, no Customer Data)
  • Region: United States

Reducto (reducto.ai)

  • Purpose: Document OCR and parsing (PDF to structured text)
  • Data processed: Customer-uploaded lease documents (transient processing during extraction)
  • Region: United States

OpenAI, L.L.C. (openai.com)

  • Purpose: LLM extraction (parsed text to structured lease fields)
  • Data processed: Lease text extracted from Customer documents (sent via API). Inputs and outputs are not used to train OpenAI models. Commercial / API tier with zero-retention configured where applicable.
  • Region: United States

Anthropic, PBC (anthropic.com)

  • Purpose: LLM extraction and verification
  • Data processed: Lease text extracted from Customer documents (sent via API). Inputs and outputs are not used to train Anthropic models. Commercial / API tier.
  • Region: United States

Resend, Inc. (resend.com)

  • Purpose: Transactional email (account notifications, abstract-ready notifications)
  • Data processed: Recipient email addresses and transactional email content. No lease documents.
  • Region: United States

AI and machine-learning training

BrikMate does not use Customer Data to train any AI model.

Each AI sub-processor (Reducto, OpenAI, Anthropic) operates under commercial / API terms that contractually exclude Customer Data from model training:

  • Reducto: DPA on file; no training on BrikMate inputs.
  • OpenAI: API tier; per OpenAI's commercial terms, prompts and completions submitted via API are not used to train OpenAI models.
  • Anthropic: Commercial / API tier; per Anthropic's commercial terms, inputs and outputs are not used to train Anthropic models.

Verification artifacts (verbatim contract clauses, screenshots of org-level training opt-out settings) are captured quarterly in BrikMate's internal audit trail and are available to customers under NDA on request.

BrikMate engineering policy explicitly prohibits sending Customer Data to consumer AI tools (e.g., ChatGPT, Claude.ai). Customer Data is only ever sent to the named sub-processors above, and only by way of BrikMate's organizational API keys from backend code.

Operational vendors (do not process Customer Data)

For full transparency, the following vendors are part of BrikMate's internal operational stack but do not process Customer Data. They are not sub-processors under the DPA, they are listed here so customers can see BrikMate's complete vendor footprint.

  • Google Workspace: Internal email, calendar, and document collaboration
  • Justworks: Professional Employer Organization (PEO), payroll, benefits, employment records
  • Checkr (via Justworks): Pre-employment background checks for BrikMate personnel
  • Notion: Internal documentation, policies, runbooks
  • Linear: Internal issue tracking
  • Slack: Internal team communications
  • 1Password: Internal employee credential vault

Sub-processor change notice

BrikMate maintains this list and updates it whenever a sub-processor is added, removed, or substituted.

For sub-processors that BrikMate engages directly, BrikMate provides at least 30 days' prior written notice before adding the new sub-processor.

For sub-processor changes that originate with an upstream sub-processor (where BrikMate is itself notified by one of its own vendors), BrikMate passes the notice through to customers within 5 business days of receipt, regardless of how much advance notice BrikMate received from the upstream sub-processor.

If a customer reasonably objects to a new sub-processor on documented data-protection grounds within 30 days of BrikMate's notice, the parties will work in good faith to resolve the objection. If the objection cannot be resolved within 30 days, the customer may terminate the affected services and receive a pro-rata refund of any prepaid fees for unused services, as set forth in BrikMate's Terms and Conditions §4.5.

To subscribe to changes, email security@brikmate.com with the subject line "Sub-processor updates" and we will add you to the notification list.

Contact

For questions about BrikMate's sub-processors, security posture, or to request a copy of any sub-processor DPA under NDA:

📧 security@brikmate.com

For BrikMate's broader security commitments and certifications, see brikmate.com/security.

This page is reviewed at least quarterly and on every sub-processor change. Last reviewed: May 1, 2026.

The AI workforce for commercial real estate
Resources
Terms and ConditionsPrivacy PolicySub-processors SecurityCustomer Support
contact
415 Stockton St. San Francisco, CA 94108

© Copyright 2025, All Rights Reserved by BrikMate