Kochi may use service providers and subprocessors to host the product, run analytics, deliver communications, support authentication, and provide AI-related features. We update this page when our provider set changes materially. Customers with questions, objections, or update requests about subprocessors can contact support@kochi.so.
AI providers are used only when a customer selects or configures an AI feature, or when a requested workflow requires one. Customer Content is not used to train, fine-tune, or improve AI or ML models, including third-party models, unless the customer gives explicit written opt-in.
Public subprocessor list
Vercel
Application hosting, deployment delivery, edge/network services, and related observability.
Likely data categories: Account data, application content, request logs, usage data, and technical metadata.
Used to operate the public Kochi web application and delivery pipeline.
Neon
Managed PostgreSQL database hosting, storage, backup, and recovery.
Likely data categories: Customer content, workspace data, account identifiers, and operational database records.
PayloadCMS is the application framework; Neon is the database layer that backs it.
WorkOS
Authentication, single sign-on, directory sync, and organization access workflows.
Likely data categories: Identity information, organization identifiers, authentication events, and access-control metadata.
Used where customers connect enterprise identity features.
Mailmodo
Transactional and product email delivery.
Likely data categories: Email address, name, message content, delivery status, and engagement metadata.
Used for account, support, and service notifications.
Amplitude
Product analytics and feature usage measurement.
Likely data categories: Pseudonymous identifiers, device and browser data, page events, and interaction telemetry.
We do not use it for targeted advertising.
Helicone
LLM request observability, tracing, and debugging for AI features.
Likely data categories: Prompt and response content, request metadata, token counts, timestamps, and trace identifiers.
Used only where AI observability is enabled for the requested feature or environment.
Braintrust
Evaluation, quality monitoring, and workflow analysis for AI outputs.
Likely data categories: Prompts, model outputs, evaluation traces, scores, and related metadata.
Used only for configured evaluation or quality workflows.
Sanity
Marketing content management and editorial publishing.
Likely data categories: Site content, editorial metadata, and limited account or collaborator data where applicable.
Used for public site and content operations.
OpenAI
AI features and model inference when selected, configured, or required for a requested AI workflow.
Likely data categories: Prompts, files or attachments sent for processing, outputs, tool-call data, and usage metadata.
Customer Content is not used to train, fine-tune, or improve AI/ML models unless the customer gives explicit written opt-in.
Anthropic
AI features and model inference when selected, configured, or required for a requested AI workflow.
Likely data categories: Prompts, files or attachments sent for processing, outputs, tool-call data, and usage metadata.
Customer Content is not used to train, fine-tune, or improve AI/ML models unless the customer gives explicit written opt-in.
Google / Gemini
AI features and model inference when selected, configured, or required for a requested AI workflow.
Likely data categories: Prompts, files or attachments sent for processing, outputs, tool-call data, and usage metadata.
Customer Content is not used to train, fine-tune, or improve AI/ML models unless the customer gives explicit written opt-in.
Security measures
- Encryption in transit and at rest where supported by the underlying service.
- Access controls, role-based permissions, and least-privilege operational access.
- Logging and monitoring for service health, security-relevant events, and unusual activity.
- Vendor review and due diligence before material processor onboarding and during periodic reassessment.
- Incident response procedures for triage, containment, remediation, and customer communication where required.
- Backups and recovery processes designed to support continuity and restoration after failure or loss.
- Secure development practices, including review, testing, and production access controls.
- Retention and deletion practices intended to limit data to what is needed for the service and applicable legal obligations.
- Employee and contractor confidentiality obligations covering customer data and internal systems.
Related legal docs
See also Privacy, Terms, Cookies, and DPA.
Date: April 21, 2026. Legal entity: FamilytalkGPT Inc. Product and service name: Kochi.