Skip to main content
Prax CRM — Smart. Secure. Scalable.®

Legal

Sub-processors

Every third party that processes customer data on Prax CRM's behalf, what they do, and where they're based. Updated whenever this list changes.

Last updated: 2026-05-27

Sub-processor
Purpose
Location
DPA
Vercel
Application hosting, edge / CDN, build platform
United States (multi-region)
View →
Convex
Application database, file storage, real-time sync
United States
View →
Zoho Mail
Primary transactional email delivery via authenticated SMTP (system notifications, password resets, workspace invites).
India / United States
View →
Resend
Secondary transactional email delivery (used when platform SMTP is unavailable).
United States
View →
Postmark
Tertiary transactional email delivery (last-resort fallback when SMTP and Resend are both unavailable).
United States
View →
Razorpay
Payment processing for invoices and subscription billing (India region — INR).
India
View →
PayPal
Payment processing for invoices and subscription billing (global — USD).
United States, Luxembourg
View →
ipinfo.io
IP → geolocation enrichment for inbound web leads (country / region / city / timezone). Used at lead-creation time only.
United States
View →
Google Analytics
Website usage analytics (anonymised IP; loaded only after explicit cookie consent).
United States
View →
Cloudflare
DNS, edge caching for static assets (transitive via Vercel).
United States
View →
Have I Been Pwned (HIBP)
Password-breach check at signup and reset. Only the first 5 characters of a SHA-1 hash of the candidate password are sent (k-anonymity range API) — no email, name, or full password leaves Prax CRM.
Cloudflare global edge
View →

How we add or change sub-processors

When we add a new sub-processor, this page is updated and existing customers are notified at least 30 days before the new processor begins handling their data. Customers may object to a new sub-processor by emailing privacy@praxcrm.com within that window; we will work in good faith to resolve the objection or, if we can't, allow termination of the affected service per the DPA.

Data residency

Today, customer data is stored in the United States via Convex. EU customers on Enterprise plans can request region-pinned storage at signup; we'll match the request as soon as our backend supports the additional region. Until then, EU traffic is governed by the relevant Standard Contractual Clauses (SCCs) referenced in our DPA.

Questions

Email privacy@praxcrm.com for anything not covered above. Vulnerability reports go to privacy@praxcrm.com — see also /.well-known/security.txt.

Looking for the full DPA, GDPR notice, or terms?

Data Processing Addendum·GDPR notice·Privacy policy·Terms