← Back to ProxyLLM

Subprocessors

Last updated: June 18, 2026

This page lists the third-party service providers ("subprocessors") that ProxyLLM engages to help operate its service. ProxyLLM is operated by Sysdev TechStrategy & Consulting Ltda. (CNPJ 37.016.893/0001-73) ("ProxyLLM", "we", "us"), a company established in Brazil with registered offices at Av. Andrômeda, 433, Sala 515, Jardim Satélite, São José dos Campos – SP, CEP 12.230-000. Questions about this page, or requests to exercise your data-protection rights, can be sent to contact@proxyllm.dev, which is our designated data-subject communication channel.

This page should be read together with our Privacy Policy and Terms of Service. Where those documents and this page describe the same subprocessor, we keep them consistent; this page is the authoritative, dated list of subprocessors.

Our Role: Controller and Operator

ProxyLLM sits in two distinct data-protection roles depending on the data involved, and our subprocessors inherit the corresponding role.

  • For your account, billing, and website-analytics data (for example, your email, name, account identifier, subscription status, and landing-page visits), ProxyLLM acts as the data controller (controlador under Brazil's LGPD; "controller" under the GDPR; "business" under the CCPA/CPRA). The subprocessors that handle this data act on our instructions as our processors/service providers.
  • For the prompt and response content that passes through the proxy on your behalf, ProxyLLM acts as the data operator (operador under the LGPD; "processor" under the GDPR; "service provider" under the CCPA/CPRA). In that flow you are the controller of your own end-users' data, and the upstream model providers we use to fulfil your request act as sub-operators / sub-processors. We process this content solely to deliver, cache, and route the request you initiated — never for our own purposes and never to train, fine-tune, or improve any model.

This dual-role split is described in more detail in our Terms of Service and is available to business customers under a Data Processing Agreement.

What Data ProxyLLM Stores, and What It Does Not

To make this list meaningful, it helps to be precise about what our systems actually persist. We avoid blanket claims because two of our systems behave differently:

  • Request logs store metadata only. Our usage logs record the model used, input and output token counts, estimated cost, latency, an optional usage tag you supply, and whether the request was a cache hit. They contain no prompt or response content and no IP address.
  • The semantic cache stores response content and a hashed representation of your prompt. To serve repeated and semantically similar requests without a new upstream call, our cache stores (a) the full text of the corresponding model response as JSON, (b) a SHA-256 hash of the normalized prompt text (your system prompt plus the most recent user message) used as the cache key — not the prompt in clear text — and (c) a numerical embedding vector derived from that same prompt text for similarity matching. All cache data is scoped to your individual workspace and expires automatically after a plan-based time-to-live.
  • Prompt text is sent to an embedding provider in clear text for semantic-cache lookups and writes. We do not store that clear text ourselves, but it is transmitted to the embedding subprocessor listed below.
  • Customer-supplied upstream provider keys (BYOK) are encrypted at rest using AES-256-GCM with a server-held master key and a fresh nonce per operation. The clear-text key is never returned by our API; only the last four characters and the base URL are ever surfaced.

Because cached responses may reproduce content from earlier prompts, and because a semantically similar prompt may be served a previously cached response within your workspace, you should not submit sensitive personal data (for example, racial or ethnic origin, health, biometric, religious, political, or sexual-life data under LGPD Art. 5, II / GDPR Art. 9) through the proxy unless you have a lawful basis to do so and accept the caching behavior described above. ProxyLLM does not use prompt content to infer characteristics about any individual.

Legal Bases for Processing

We process personal data on the following lawful bases (LGPD Art. 7 / GDPR Art. 6). Where more than one basis is listed for a purpose, the primary basis is stated first.

  • Operating your account and authentication, delivering the proxy, caching, and routing your requests, and billing for paid plansexecution of a contract with you (LGPD Art. 7, V; GDPR Art. 6(1)(b)). This covers Clerk, Railway, Vercel hosting, Stripe, and the upstream model/embedding providers when fulfilling your requests.
  • Request-log metadata, rate-limiting, fraud and abuse prevention, security, error tracking (Sentry), and uptime monitoring (UptimeRobot) — our legitimate interest (LGPD Art. 7, IX; GDPR Art. 6(1)(f)) in keeping the service secure, reliable, and operable, billing accurately, and preventing abuse, balanced against your rights and freedoms.
  • Transactional email (Resend)execution of a contract and/or legitimate interest (LGPD Art. 7, V and IX; GDPR Art. 6(1)(b) and (f)) in keeping you informed about your account, usage thresholds, and payment status. These are service messages, not marketing.
  • Website analytics (Vercel Web Analytics) — your consent where required (LGPD Art. 7, I; GDPR Art. 6(1)(a)); the technology we use is cookieless and stores or reads no information on your device, so where consent is not legally triggered we rely on legitimate interest with this disclosure (see the Website Analytics entry below).
  • Tax, accounting, and other legally mandated retentioncompliance with a legal or regulatory obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c)).

You may withdraw any consent at any time (this does not affect processing already carried out), and where we rely on legitimate interest you may object as described in "Your Rights and Complaints" below. Withdrawing consent for non-essential analytics will not affect your ability to use the service; declining to provide data that is necessary to perform the contract (for example, account or billing data) may mean we cannot provide the service.

Current Subprocessors

The following subprocessors are engaged as of the "Last updated" date above. All are established in or process data in the United States; none of them is in a jurisdiction that Brazil currently recognizes as providing an adequate level of data protection. International transfers and the safeguards we rely on are described in the International Data Transfers section below.

Infrastructure and Hosting

  • Railway — Hosts the proxy server, the PostgreSQL database, and the Redis cache (production and an isolated staging environment). This is where all persisted data resides: account and workspace records, request-log metadata, encrypted BYOK keys, and the semantic cache (hashed prompts, embedding vectors, and full cached responses).
    • Data processed: account and workspace data, request-log metadata, encrypted upstream keys, cached prompts/responses and embeddings.
  • Vercel — Hosts the Next.js dashboard (app.proxyllm.dev) and the public landing site (proxyllm.dev).
    • Data processed: standard hosting and request data (such as IP address and user agent in platform logs); authenticated dashboard traffic transits Vercel to reach the proxy.

Authentication and Billing

  • Clerk — Authentication and user management (sign-up and sign-in). Clerk is the source of your email, name, and account identifier. ProxyLLM stores no passwords; authentication is fully delegated to Clerk.
    • Data processed: email, name, and user identifier.
  • Stripe — Payment processing and subscription billing for paid plans. We never receive or store full card numbers; payment details are handled entirely by Stripe.
    • Data processed: customer identity for the billing record, payment method (held by Stripe); we retain only a Stripe customer identifier and subscription status.

Upstream Model and Embedding Providers

  • OpenAI — Default upstream large-language-model provider and default embedding provider. Requests are forwarded to it on a cache miss when configured as the upstream.
    • Data processed: full prompt and response payloads; clear-text prompt text (system prompt plus last user message) sent for embedding generation.
  • OpenRouter — The upstream model gateway used in production for both OpenAI-format and Anthropic-format traffic (including the Anthropic-compatible endpoint) and for embeddings.
    • Data processed: full prompt and response payloads; clear-text prompt text for embeddings.
  • Anthropic — Upstream provider for Claude models served through our Anthropic-compatible endpoint (reached in production via OpenRouter, and configurable to connect directly).
    • Data processed: full prompt and response payloads for Anthropic-format requests.

Training-data flow-down. OpenAI and Anthropic contractually exclude API traffic from default model training; we do not permit your prompt or response content to be used to train, fine-tune, or improve any model. When you enable Bring Your Own Key (BYOK), your traffic is sent directly to your own upstream provider account under your own contract with that provider, and our managed gateway is bypassed — in that case the relevant provider's data-use, training, and opt-out settings are those of your own account and contract.

Communications, Monitoring, and Status

  • Resend — Transactional email delivery (welcome, usage-threshold, usage-exceeded, and payment-failure notifications).
    • Data processed: recipient email address and first-name greeting; the welcome message includes your workspace API key. Security note: because the welcome email contains a live API key, that credential transits and resides in Resend's mail-delivery systems (and in your mailbox); treat it as you would any credential, and rotate the key via the dashboard if you believe it has been exposed.
  • Sentry — Error tracking and performance monitoring for the proxy. We disable personal-data capture and exclude the authorization header; only server-side (5xx) errors and performance spans are forwarded.
    • Data processed: error events and stack-trace context, which may incidentally include request metadata; no prompt or response bodies.
  • UptimeRobot — External uptime monitoring and our public status page.
    • Data processed: none. UptimeRobot only sends health-check requests to our public endpoints; no customer data is shared.

Website Analytics

  • Vercel Web Analytics — First-party, privacy-oriented analytics for the public landing site. This subprocessor is in the process of being added and may not yet be active.
    • Data processed: aggregated page-view events and coarse device/approximate-location signals for the landing site only. Vercel Web Analytics is cookieless and stores or reads no information on your device; we therefore rely on legitimate interest together with this disclosure rather than a cookie-consent banner. If we ever add a technology that stores or reads information on your device, we will implement an appropriate consent mechanism and update this list and our cookie disclosure before it goes live.

How We Engage and Change Subprocessors

By using ProxyLLM you provide a general authorization for us to engage the subprocessors listed above. Before we add a new subprocessor or replace an existing one that processes personal data, we will update this page with a revised "Last updated" date and, for business customers under a Data Processing Agreement, notify the account owner. Where a customer has a reasonable, data-protection-based objection to a new subprocessor, the customer may raise it with us at contact@proxyllm.dev within thirty (30) days of notice; if we cannot reasonably accommodate the objection, the customer may terminate the affected service. We require each subprocessor, by written contract, to provide an adequate level of data protection and to process personal data only as needed to provide its service to us.

International Data Transfers

ProxyLLM is operated from Brazil, and the subprocessors above process personal data outside Brazil (primarily in the United States). Personal data reaching US-based subprocessors relies on the following safeguards, which are incorporated into each subprocessor's Data Processing Agreement:

  • For the LGPD leg, we rely on the ANPD Standard Contractual Clauses (Cláusulas-Padrão Contratuais, ANPD Resolution CD/ANPD No. 19/2024), which became required for international-transfer arrangements, and — where transfer is necessary to perform our contract with you — on the contract-necessity basis under LGPD Art. 33, IX.
  • For the European Economic Area leg, we rely on the European Union's adequacy decision for Brazil (in force since January 2026) for flows reaching ProxyLLM in Brazil, and on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the applicable Data Privacy Framework for onward flows to subprocessors processing data outside an adequacy framework.

A copy of the safeguards applied to a specific subprocessor is available on request at contact@proxyllm.dev.

EU/EEA Representative (GDPR Article 27)

ProxyLLM is established in Brazil. To the extent the GDPR applies to our processing under Article 3(2), our representative in the European Union for the purposes of Article 27 is identified in our Privacy Policy; EEA data subjects and supervisory authorities may also contact us directly at contact@proxyllm.dev, and we will route the matter to the representative as required.

Security Measures

We maintain technical and organizational measures appropriate to the risk (LGPD Art. 46; GDPR Art. 32), including:

  • Encryption in transit — TLS 1.2 or higher for connections to the proxy, dashboard, database, cache, and upstream providers.
  • Network isolation — the production database and cache are reachable only over the internal provider network, with no public TCP exposure.
  • Hardened runtime — the proxy runs in a non-root, minimized container image.
  • Credential handling — workspace API keys are compared in constant time (timing-safe) to resist timing attacks, and customer-supplied BYOK upstream keys are encrypted at rest with AES-256-GCM using a server-held master key and a fresh nonce per operation.
  • Tenant isolation — all data access is scoped to the owning workspace, and the semantic cache is partitioned per workspace.

Data Retention

Personal data handled through our subprocessors is retained only as long as needed for the relevant purpose:

  • Request-log metadata: Free 7 days, Pro 30 days, Scale 90 days, after which it is automatically deleted.
  • Semantic cache (responses, prompt hashes, embeddings): automatically expires per plan — Free 24 hours, Pro 72 hours, Scale 168 hours.
  • Account data (Clerk, Stripe): retained while your account is active and deleted on request, subject to the legal-retention exceptions in LGPD Art. 16 (for example, compliance with a legal or regulatory obligation), and subject additionally to Clerk's and Stripe's own provider-side retention policies for the records they hold.
  • Encrypted BYOK keys: retained until you remove them or close your account.
  • Transactional email (Resend): the welcome email — which contains a live workspace API key — and other service emails reside in Resend's mail-delivery systems for Resend's standard log/retention window; rotate the key via the dashboard if you believe it has been exposed.
  • Monitoring and analytics data (Sentry, Vercel Web Analytics): retained for the provider's standard window.

When the purpose of processing is achieved, or upon a valid request or consent revocation, we end the processing and delete or anonymize the relevant personal data, subject to the exceptions above.

Your Rights and Complaints

You may exercise your data-protection rights by contacting contact@proxyllm.dev. Depending on the law that applies to you, these include:

  • Confirmation of processing and access to your personal data;
  • Correction of incomplete, inaccurate, or out-of-date data;
  • Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the law;
  • Data portability to another provider, on request;
  • Information about the public and private entities with which we have shared your data;
  • Restriction of processing (GDPR Art. 18) in the circumstances provided by law;
  • Objection to processing (GDPR Art. 21) carried out on the basis of legitimate interest, and to direct marketing at any time;
  • Information about the possibility of denying consent and the consequences of refusal (LGPD Art. 18), as also summarized in "Legal Bases for Processing" above; and
  • Withdrawal of consent at any time, without affecting processing already carried out.

No solely-automated decisions. Our routing and caching are operational mechanisms to deliver and optimize your requests; they do not constitute automated decision-making that produces legal or similarly significant effects about you within the meaning of GDPR Art. 22, and we do not use prompt content to profile or make decisions about individuals.

We aim to respond within the timeframes required by applicable law (15 days for confirmation-of-processing and access requests under the LGPD; one month under the GDPR). You also have the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) in Brazil, with your local supervisory authority in the EEA, or with the relevant authority in your jurisdiction.

Data Protection Officer / Encarregado

ProxyLLM relies on the small-processing-agent regime (ANPD Resolution CD/ANPD No. 2/2022) and, in lieu of a formal Encarregado, designates contact@proxyllm.dev as its data-subject communication channel. If our processing ceases to qualify for that regime, we will appoint and name a formal Encarregado (and a Data Protection Officer where the GDPR so requires).

Security Incidents

If a security incident affecting your personal data occurs and is likely to create a relevant risk or harm, we will notify the competent supervisory authority (the ANPD in Brazil; the relevant EEA authority for affected EU data subjects) and the affected individuals within the timeframes and with the content required by applicable law, including a description of the technical and security measures taken. Where we act as operator/processor for content flowing through the proxy, we will notify the affected customer-controller without undue delay so that the customer can meet its own notification obligations.

Limitation of Liability and Disclaimer Regarding Subprocessors and Model Outputs

To the maximum extent permitted by applicable law, and without limiting the consumer protections that apply to Brazilian consumers under the Código de Defesa do Consumidor:

  • No warranty. The service, including the proxy, semantic cache, routing, and all integrations with the subprocessors listed above, is provided "as is" and "as available", without warranties of any kind, whether express, implied, or statutory, including any implied warranty of merchantability, fitness for a particular purpose, accuracy, or non-infringement.
  • Model-output disclaimer. Responses are generated by third-party AI models operated by the upstream providers listed above. ProxyLLM is a passthrough proxy and does not generate, control, verify, or endorse model output. Output may be inaccurate, incomplete, biased, outdated, or offensive ("hallucinations"). You are solely responsible for reviewing and validating output, and you must not rely on it for medical, legal, financial, or other high-stakes decisions without qualified human review.
  • Upstream and subprocessor dependency. ProxyLLM is not liable for the acts, omissions, outages, content-moderation decisions, model changes or deprecations, access suspensions, or pricing changes of any subprocessor or upstream provider, and we may modify, add, or remove supported models and subprocessors. Downtime or degradation caused by a third-party provider is outside our reasonable control and is excluded from any availability commitment.
  • Liability cap. To the maximum extent permitted by applicable law, ProxyLLM and Sysdev TechStrategy & Consulting will not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenue, data, or goodwill; and our aggregate liability arising out of or relating to the service or the subprocessors will not exceed the amounts you paid to us for the service in the three (3) months preceding the event giving rise to the claim.

Acceptable Use and Indemnity

Your use of the service through these subprocessors must comply with our Terms of Service and with the acceptable-use policies of the underlying providers (including the OpenAI usage policies and the Anthropic acceptable use policy). You must not use the service to generate, transmit, or store unlawful content, child sexual abuse material, malware, content facilitating weapons development, harassment, or to make high-risk automated decisions without appropriate human oversight and disclosure. A breach of an upstream provider's acceptable-use policy is a breach of our Terms and may result in suspension or termination, including any suspension imposed on us by an upstream provider. You agree to defend, indemnify, and hold harmless ProxyLLM and Sysdev TechStrategy & Consulting from and against any claims, damages, liabilities, and reasonable costs (including legal fees) arising from your content, your use of the service, your violation of these terms or any upstream acceptable-use policy, or your infringement of any third-party right.

Sale or Sharing of Personal Information

ProxyLLM does not sell or share personal information for monetary or other valuable consideration, and does not "share" personal information for cross-context behavioral advertising, within the meaning of the CCPA/CPRA. The subprocessors above are engaged as service providers and contractors under written contract, not as recipients of a sale or share. We have not sold or shared personal information in the preceding twelve months, and we do not knowingly sell or share the personal information of consumers under 16 (and, consistent with our age policy below, the service is not directed to anyone under 18).

Children

The service is not directed to children under 18, and we do not knowingly collect personal data from them.

Governing Law and Venue

This page and the relationship it describes are governed by the laws of the Federative Republic of Brazil, without regard to conflict-of-laws principles. Except where mandatory consumer-protection or data-protection rules provide otherwise, the courts of the domicile of Sysdev TechStrategy & Consulting in Brazil have exclusive jurisdiction over any dispute arising out of or relating to this page or the subprocessors described in it. Mandatory protections available to Brazilian consumers under the Código de Defesa do Consumidor and to data subjects under the LGPD are preserved.

Changes to This Page

We may update this page from time to time to reflect changes to our subprocessors or to applicable law. Material changes will be reflected in the "Last updated" date above, and, for business customers under a Data Processing Agreement, communicated as described in "How We Engage and Change Subprocessors".

Contact

For any question about this page, our subprocessors, or your data-protection rights, contact us at contact@proxyllm.dev.