Subprocessors
The third-party vendors that CourseWise LLC uses to deliver CourseWise, and how we change the list.
Current subprocessors
The vendors below process limited categories of customer data on CourseWise LLC's instructions to deliver specific parts of the Service. Each is bound by a written data processing agreement that restricts use of the data to the service performed and prohibits further disclosure.
| Vendor | Service | Region | Purpose | DPA |
|---|---|---|---|---|
| Cloudflare | Workers, R2, AI Gateway, KV | Global (edge) | Application hosting, file storage, AI provider gateway, rate-limit cache | DPA |
| Neon | Postgres | us-east-1 (configurable) | Primary database | DPA |
| Anthropic | Claude API | United States | Generative AI for material authoring and AI-graded responses | DPA |
| Gamma | Presentation generation API | United States | Generating slide decks from teacher-authored reading materials and instructions; storing the resulting deck for download. Receives only the reading-material content and prompts the teacher chooses to include. | DPA |
Notification of changes
Before we add or replace a subprocessor that will process customer personal information, we update this page and notify institutional customers at least thirty days in advance through the contact on file. Institutions that have objection rights in their agreement may object in writing during the notice period, and we will work in good faith to offer a commercially reasonable alternative or, failing that, to honor the termination rights set out in the contract.
Subprocessor assessment criteria
We evaluate each prospective subprocessor against, at minimum:
- A current independent security attestation (for example SOC 2 Type II, ISO 27001) or an equivalent program we can review.
- A data processing agreement on terms that flow down the confidentiality, security, sub-processing, and incident-notification commitments we make to our customers.
- Hosting region and data-residency controls that match what we promise customers, and that support institutional restrictions on cross-border transfer.
- A documented incident response process, including a defined notification timeline back to us as the customer of the subprocessor.
- A contractual prohibition on using customer data to train the vendor's own models or for any purpose beyond delivering the service.
Contact
For questions about this list, to request a copy of a subprocessor's DPA, or to file an objection to a planned change, please use our Data Requests page.