Kitchen Toolkit documentation

Kitchen Toolkit — Subprocessor Schedule

docs/legal/subprocessor-schedule.md

# Kitchen Toolkit — Subprocessor Schedule

_Last updated: 2026-03-22_ [source: docs/legal/subprocessor-schedule.md]

- This is the standard customer-facing subprocessor schedule for the hosted Kitchen Toolkit stack documented in this repository today. It turns the provider lists already scattered across the Privacy Notice and Terms of Service into one maintained artifact. [source: docs/legal/privacy-notice.md][source: docs/legal/terms-of-service.md]
- Several rows are feature-conditional: Stripe applies when billing is enabled, `/help` AI providers apply only when the public help desk is used, and customer-selected SMTP/webhook providers apply only when a tenant configures them. [source: docs/legal/privacy-notice.md][source: lib/billing/stripe.js][source: pages/api/support-bot.js][source: pages/admin/settings.js]

## Schedule

| Provider / category | Role in service delivery | Data categories processed | Region / hosting note | Feature scope |
| --- | --- | --- | --- | --- |
| Vercel | Hosts the Next.js application and routes web/API traffic. | Account requests, admin traffic, device/API traffic, hosted page requests, support/help requests. | Hosted application stack; public docs say Canada/US processing may occur through the hosted providers. | Core hosted product. |
| Upstash | Default KV store plus temporary `/help` support cache and attachment-image publication storage. | Logs, telemetry, tenant profile/env metadata, alert state, support-session history, short-lived attachment-image payloads. | Default KV region is AWS N. Virginia `us-east-1` unless the tenant points telemetry to its own KV. | Core hosted product and `/help`. |
| GitHub | Stores the private source repository and Git-backed restaurant bundle content. | Source-controlled restaurant bundle files, docs, and repo history. | Private GitHub repository noted in docs. | Core content publishing / source control. |
| Stripe | Handles checkout, billing, and subscription lifecycle webhooks. | Billing metadata such as tenant ID, plan, auto-renew flag, and Stripe customer/subscription IDs. | Stripe-hosted billing flow; card data is not processed directly by KT. | Billing only. |
| Customer-selected SMTP providers / webhook targets | Deliver account, alert, export, and customer-directed notifications when configured by the tenant. | Recipient addresses, alert/export payloads, email metadata, webhook payloads. | Controlled by each tenant's configured provider choices. | Optional messaging/integrations. |
| KT-managed Google / Gmail mail transport | Fallback or KT-managed outbound email for account, security, operational, and export messages when a feature uses KT-managed delivery. | Recipient addresses, account/security/export mail content, operational alert content. | Hosted mail transport operated through Google/Gmail infrastructure. | Feature-dependent fallback/platform delivery. |
| Groq / OpenAI / OpenRouter | Generate `/help` responses and inspect supported attachments when those providers are configured at runtime. | Help prompts, supported attachment content, image URLs/data for visual troubleshooting, runtime/provider metadata. | Region depends on the configured provider path at runtime. | `/help` only. |
| Google Fonts / Cloudflare CDN-hosted AOS assets | Browser-delivered public-page assets loaded by marketing/help/trust pages. | Standard page-request metadata such as IP, user agent, and referrer. | Loaded in the visitor browser from third-party URLs. | Public site only. |

[source: docs/legal/privacy-notice.md][source: docs/legal/terms-of-service.md][source: docs/reference/data-and-privacy.md][source: lib/billing/stripe.js][source: pages/api/support-bot.js][source: lib/agent/llm.js][source: lib/agent/attachmentImageStore.js][source: pages/admin/settings.js][source: public/landing.html][source: pages/trust.jsx][source: pages/faq.jsx][source: pages/manual.jsx][source: pages/onboarding.jsx]

## Change management

- The Terms of Service and Privacy Notice already commit to communicating material subprocessor additions or changes to tenant contacts at least 30 days in advance when practical, or promptly thereafter when urgent for security/legal reasons. This schedule is the document that should be updated when those changes happen. [source: docs/legal/privacy-notice.md][source: docs/legal/terms-of-service.md]
- Customer-specific constraints still need to be handled in the signed contract packet when a customer requires alternate transfer, residency, or provider terms. Use the standard DPA and transfer addendum templates as the starting point rather than drafting from a blank document. [source: docs/legal/data-processing-addendum.md][source: docs/legal/transfer-addendum-scc.md][source: docs/legal/data-processing-requests.md]

## Last verified

- Last verified: 2026-03-22 after reconciling the provider lists in the Privacy Notice, Terms of Service, `/help` flow, billing flow, and public-page asset references. [source: docs/legal/privacy-notice.md][source: docs/legal/terms-of-service.md][source: pages/api/support-bot.js][source: lib/agent/llm.js][source: lib/billing/stripe.js][source: public/landing.html][source: pages/trust.jsx][source: pages/faq.jsx][source: pages/manual.jsx][source: pages/onboarding.jsx]