Subprocessors

Third-party services that process Scout user data on our behalf. For each: what data flows, why, where it's processed, and the status of any contract (DPA / standard terms) we have with the provider. This page is the canonical transparency surface our privacy policy points to.

Last reviewed: 2026-05-16

• Anthropic

  United States

  Large-language-model provider — generates Scout's Socratic responses to kid messages.

  DPA in progress
  Data flow

  Conversation text (kid message + Scout system prompt + recent history). Per the Anthropic API terms, prompts and completions are not used to train Anthropic's models.

  DPA note

  Request workflow: Anthropic Console → Settings → Legal → request DPA. Update this row's status to 'signed' + the signed-on date once executed.

  Last reviewed

  2026-05-16

• OpenAI (Whisper STT)

  United States

  Speech-to-text transcription for English voice sessions when voice mode is enabled.

  Standard terms
  Data flow

  Audio clip of the child's spoken utterance. Returns the text transcript. Per OpenAI API terms, audio is not retained for model training.

  DPA note

  Standard OpenAI Business Associate / DPA terms apply via the API agreement. No separately-negotiated addendum.

  Last reviewed

  2026-05-16

• ElevenLabs

  United States

  Text-to-speech synthesis for Scout's spoken voice responses.

  DPA in progress
  Data flow

  Scout's response text (no kid input is sent). Returns synthesized audio.

  DPA note

  DPA request pending — outbound to ElevenLabs legal.

  Last reviewed

  2026-05-16

• Microsoft Azure Cognitive Services

  United States

  Per-phoneme pronunciation scoring on language drill turns (Spanish / French / German vocabulary).

  Standard terms
  Data flow

  Audio clip of the drill utterance + the reference text Scout is teaching. Returns word-level and phoneme-level accuracy scores. Only sent on drill turns — conversational turns are transcribed by OpenAI Whisper, never by Azure.

  DPA note

  Microsoft Online Services DPA covers Azure Cognitive Services with explicit COPPA and FERPA compliance posture.

  Last reviewed

  2026-05-16

• Amazon Web Services (Lightsail + S3)

  us-east-1 (United States)

  Application hosting (Lightsail) and database backup replication via Litestream to S3.

  Standard terms
  Data flow

  All Scout data lives on the hosting volume: user accounts, sessions, exchanges, voice clips, training audit rows. The SQLite database is continuously replicated to a private S3 bucket for disaster recovery.

  DPA note

  AWS Customer Agreement + DPA addendum apply to all Lightsail + S3 usage.

  Last reviewed

  2026-05-16

• Cloudflare

  Global edge (Cloudflare PoPs)

  CDN + HTTPS termination for scout-learning.com (Flexible SSL mode currently; Full SSL upgrade tracked separately).

  Standard terms
  Data flow

  Request headers and IP addresses pass through Cloudflare's edge for routing and DDoS protection. Cloudflare does not have access to application-level user data (kid messages, audio, etc.) — that traffic is decrypted only on the Lightsail origin.

  DPA note

  Cloudflare standard DPA applies via the account terms.

  Last reviewed

  2026-05-16

• Resend

  United States

  Transactional email delivery — signup verification, magic-link sign-in, password reset, weekly digest, consent verification.

  DPA in progress
  Data flow

  Recipient email address + email body (which contains links, no kid PII beyond the parent's name in some templates).

  DPA note

  DPA request pending — outbound to Resend.

  Last reviewed

  2026-05-16