CoRubrics — GDPR
Subprocessors
This page maintains the public list of providers that may process personal data on behalf of CoRubrics to provide the educational platform.
Last updated: June 5, 2026
Scope
Providers marked as optional receive data only if the relevant feature is configured or used by a teacher. CoRubrics reviews this list when adding, replacing, or removing providers relevant to personal data processing.
Current Subprocessor List
These providers are subject to contractual confidentiality, security, and data protection commitments appropriate to the service they provide.
| Provider | Purpose | Data processed | Location | Transfer basis |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, and application APIs. | Teacher account data, classes, students, rubrics, forms, submissions, results, audit logs, and session data. | European Union for the current production database (Frankfurt, Germany); provider headquartered in the United States. | Data hosted in EU region; provider DPA and applicable safeguards for access or support outside the EEA. |
| Vercel, Inc. | Web application hosting, serverless functions, cron, and network infrastructure. | Data transmitted through application requests, technical metadata, operational logs, and data needed to serve the platform. | European deployment region (fra1) and global network; provider headquartered in the United States. | Provider DPA, standard contractual clauses, or other valid GDPR transfer mechanisms. |
| Plus Five Five, Inc. (Resend) | Transactional email. | Email addresses, names where included, service email content, access links or tokens, delivery metadata, bounces, and complaints. | United States; sending region may vary depending on provider configuration. | Provider DPA and standard contractual clauses or other valid GDPR transfer mechanisms. |
| Anthropic, PBC | AI-assisted rubric generation, routed through Vercel AI Gateway. | Prompts and rubric content entered by the teacher, together with generated responses. Unnecessary student information should not be included. | United States. | Provider DPA, standard contractual clauses, or other valid GDPR transfer mechanisms. |
| Functional Software, Inc. (Sentry) | Error monitoring, performance monitoring, and security diagnostics when enabled in production. | Error logs, technical traces, URLs, internal identifiers, browser/device information, and data that may accidentally appear in errors. | United States and/or global infrastructure. | Provider DPA, standard contractual clauses, or other valid GDPR transfer mechanisms. |
| Upstash, Inc. | Usage limiting and abuse prevention via Redis when configured. | Rate limit identifiers, counters, timestamps, and minimal technical metadata needed to enforce limits. | Configured Redis database region; provider headquartered in the United States. | Provider DPA, standard contractual clauses, or other valid GDPR transfer mechanisms. |
Teacher-Authorized Integrations
Some external connections are activated only by the teacher. These connections are not generally treated as CoRubrics-wide subprocessors because the teacher or institution maintains its own relationship with the external provider.
Google LLC — Google Classroom
Optional import of classes and students from Google Classroom through OAuth.
CoRubrics requests access only when a teacher connects Google Classroom. Google may process that data under its own API terms and under the existing relationship between Google and the teacher or educational institution.
Microsoft Corporation — Microsoft Teams for Education
Optional import of classes and students from Microsoft Teams through OAuth and school administrator approval.
CoRubrics requests access only after the institution approves the app and a teacher connects Microsoft Teams. Microsoft may process that data under its own Microsoft Graph terms and under the existing relationship between Microsoft, the teacher, and the educational institution.