Privacy and vendors

Subprocessors

The current Macro by Mark subprocessor list, the data classes each provider receives, and the review path for institutional buyers.

Effective
July 9, 2026
Last reviewed
July 9, 2026
Active subprocessors
12
Change notice
30 days to active paid users
DPA
Review path on request

Operational policy text for Macro by Mark. Not a substitute for advice from counsel.

Notice

How this list changes

Material subprocessor changes are emailed to active paid users at least 30 days before they take effect. Removed vendors are reflected here after production traffic has stopped flowing to that vendor.

A DPA review path is available on request for institutional buyers. This page should not be read as a promise that every buyer-specific DPA, MSA, insurance request, or security questionnaire has already been completed.

Active vendors

Current subprocessor list

ProviderPurposeDataRegion/status
SupabaseAuthentication and primary databaseAccount identity, profile, preferences, sessions, MFA factors, passkeys, saved account records, and saved Marco conversationsProject region us-east-1, subject to the notice process if changedService-role use is server-side and allow-listed.
VercelApplication hosting, serverless runtime, and edge deliveryRequest metadata, IP address, user agent, URL, response status, and runtime logsGlobal edge with primary functions in us-east-1Sensitive values are not intentionally attached to logs; structured redaction is applied on guarded paths while the remaining console-callsite migration is completed.
Amazon Web Services (AWS)Hosted Macro Lab job queue, worker compute, and private artifact storageLab run identifiers and job metadata, user-provided input bundles, execution logs and results, and generated artifacts for hosted Macro Lab runsPrimary Macro Lab resources in us-east-2Private S3 objects and queue payloads use the production encryption and retention controls documented in the Macro Lab operations runbook.
Upstash RedisDistributed rate limiting and cache storage when configuredRate-limit keys, IP-derived buckets, counters, reset timestamps, public macro cache payloads, and cached query-derived embedding vectorsUSA/global depending on the configured databaseNo request bodies are intentionally stored for rate limiting. Query-derived embedding vectors may be cached for up to 24 hours where supported; cache keys hash the normalized query text.
AnthropicMarco assistant model providerAssistant messages, page path, source context, tier/model metadata, limited profile context, and explicit saved-object summaries when the user asks for themUSA/global under the API processing pathCommercial API and DPA status must be reviewed before regulated or institutional promises are made.
OpenAISemantic search and content-retrieval embeddingsNormalized user search or assistant query text, public indicator and content chunk text, and generated embedding vectorsUSA/global under the API processing pathUsed for embedding generation; Anthropic remains the model provider for Marco assistant responses.
StripePayments, subscriptions, invoicing, and customer portalEmail, name, billing address, payment-method tokens, invoice records, and subscription metadataGlobal, with primary controls in the USAStripe tokenizes card details; Macro by Mark does not store full card numbers.
ResendTransactional emailEmail address, delivery metadata, and the message content needed for sign-in alerts, password flows, and notificationsUSAPer-recipient throttles are used for sign-in alerts.
CloudflareTurnstile bot challenge and DNSIP address, browser context, and challenge solve evidenceGlobalTurnstile handles bot-mitigation metadata, not product content.
GoogleOAuth identity providerEmail, name, profile picture URL, and Google subject claimGlobalOAuth scopes are limited to openid, email, and profile.
Trigger.devBackground job runtime for ingestion and lab pipelinesIndicator catalog data, user UUIDs and lab/job metadata, lab run results, queue metadata, and job stateUSA/global under the configured Trigger.dev workspaceUser identifiers and results are limited to the active job workflows that require them.
Tiger Cloud / TimescaleTime-series storage for the macroeconomic indicator discovery catalogPublic macroeconomic catalog metadata and observation rowsUSA/global under the configured databaseUsed for public macro data, not platform-user PII.

Review path

Vendor and privacy questions

Vendor-security and institutional procurement questions can be sent to security@macrobymark.com. Privacy and subprocessor questions can be sent to privacy@macrobymark.com.

Primary references

Sources that informed the current posture. Included for transparency; this doesn't turn the page into legal advice.

Related policies

The other pages that round out the trust posture for Macro by Mark.