Subprocessors

The third-party vendors that CourseWise LLC uses to deliver CourseWise, and how we change the list.

Last updated: 2026-05-29Version: v1.0

Current subprocessors

The vendors below process limited categories of customer data on CourseWise LLC's instructions to deliver specific parts of the Service. Each is bound by a written data processing agreement that restricts use of the data to the service performed and prohibits further disclosure.

VendorServiceRegionPurposeDPA
CloudflareWorkers, R2, AI Gateway, KVGlobal (edge)Application hosting, file storage, AI provider gateway, rate-limit cacheDPA
NeonPostgresus-east-1 (configurable)Primary databaseDPA
AnthropicClaude APIUnited StatesGenerative AI for material authoring and AI-graded responsesDPA
GammaPresentation generation APIUnited StatesGenerating slide decks from teacher-authored reading materials and instructions; storing the resulting deck for download. Receives only the reading-material content and prompts the teacher chooses to include.DPA

Notification of changes

Before we add or replace a subprocessor that will process customer personal information, we update this page and notify institutional customers at least thirty days in advance through the contact on file. Institutions that have objection rights in their agreement may object in writing during the notice period, and we will work in good faith to offer a commercially reasonable alternative or, failing that, to honor the termination rights set out in the contract.

Subprocessor assessment criteria

We evaluate each prospective subprocessor against, at minimum:

  • A current independent security attestation (for example SOC 2 Type II, ISO 27001) or an equivalent program we can review.
  • A data processing agreement on terms that flow down the confidentiality, security, sub-processing, and incident-notification commitments we make to our customers.
  • Hosting region and data-residency controls that match what we promise customers, and that support institutional restrictions on cross-border transfer.
  • A documented incident response process, including a defined notification timeline back to us as the customer of the subprocessor.
  • A contractual prohibition on using customer data to train the vendor's own models or for any purpose beyond delivering the service.

Contact

For questions about this list, to request a copy of a subprocessor's DPA, or to file an objection to a planned change, please use our Data Requests page.