MMAP Compliance
Sub-processors
Last Updated: April 15, 2026 · Version 1.0
A sub-processor is any third party we engage to help deliver the MMAP platform that may process student data in the course of its work. This page lists every current sub-processor, what they do, where they store data, and what contractual protections are in place.
This list is incorporated by reference into every school's Data Processing Agreement. We provide schools with at least 30 days' written notice before adding or replacing a sub-processor.
Current sub-processors
1. Supabase (Supabase Inc.)
- Service:
- Managed Postgres database, authentication, edge functions, file storage, realtime
- Data processed:
- All student, family, staff, and operational data
- Data location:
- us-east-1 (Virginia, USA)
- Protections:
- Supabase DPA; SOC 2 Type II; HIPAA-eligible infrastructure
- Privacy policy:
- https://supabase.com/privacy
2. Vercel (Vercel Inc.)
- Service:
- Frontend hosting, CDN, edge network
- Data processed:
- HTTP request metadata (IP, user agent); no persistent student PII stored on Vercel
- Data location:
- US regions
- Protections:
- Vercel DPA; SOC 2 Type II
- Privacy policy:
- https://vercel.com/legal/privacy-policy
3. Anthropic (Anthropic PBC)
- Service:
- Claude API for optional AI features (summaries, translation, insights, drafting)
- Data processed:
- Minimum-necessary text sent for inference only when the school has enabled AI features
- Data location:
- US regions
- Protections:
- Anthropic API commercial terms; no training on customer data; 30-day retention for abuse monitoring only
- Privacy policy:
- https://www.anthropic.com/legal/privacy
4. Resend (Resend Inc.)
- Service:
- Transactional email delivery
- Data processed:
- Email addresses and content for account and school communications
- Data location:
- US regions
- Protections:
- Resend DPA
- Privacy policy:
- https://resend.com/legal/privacy-policy
5. Stripe (Stripe Inc.)
- Service:
- Payment processing (tuition, billing)
- Data processed:
- Billing contact info and payment method. No student PII transmitted to Stripe.
- Data location:
- US regions
- Protections:
- Stripe DPA; PCI-DSS Level 1
- Privacy policy:
- https://stripe.com/privacy
6. QuickBooks Online — Intuit Inc. (optional)
- Service:
- Optional accounting integration: one-way push of invoices, payments, and household customer records
- Data processed:
- Household billing contact; invoice line items and amounts. No student records.
- Data location:
- US regions
- Protections:
- Intuit Developer Terms
- Privacy policy:
- https://quickbooks.intuit.com
Sub-processors we do NOT use
For clarity, MMAP does not currently use any of the following, and will not add them without the required 30-day notice:
- Google Analytics, Google Tag Manager, Google Ads
- Facebook Pixel, Meta Ads, TikTok Pixel
- Any advertising or marketing tracking SDK
- Any data broker
- Any third-party chat/support widget that receives PII
Change process
When we plan to add or replace a sub-processor:
- We update this page and bump the version
- We publish the update at the canonical URL shared with schools
- We send written notice to every school's Designated Privacy Contact at least 30 days before the new sub-processor begins processing data
- Schools may object in writing to the new sub-processor on reasonable data-protection grounds. See DPA § 7.3 for the objection and termination process.
Contact
Questions about sub-processors, or to receive update notifications by email: privacy@montessorimakersalignmentmap.com
See also: Privacy Policy · Terms of Service · Security & Compliance
MMAP · Built for schools