Unified Loan System · Legal · Sub-processors
Third-Party Sub-Processors
Last updated 2026-05-07.
The third parties listed below are authorized sub-processors that may Process Borrower NPI on behalf of Unified Loan System customers, in connection with the operation of the Service. We impose contractual data-protection obligations on each sub-processor that are no less protective than those set out in our Data Processing Agreement.
We will provide notice of any new sub-processor that handles Borrower NPI before authorizing them to do so. Customers may object to a new sub-processor in writing within thirty (30) days of notice; if we cannot reasonably accommodate the objection, the customer may terminate the affected portion of the Service.
Plaid, Inc.
Their DPA →- Purpose
- Borrower-permissioned bank account verification, identity match, and asset reporting
- Location
- United States
- Data categories
- Identity, account/routing numbers, transaction history
Socure, Inc.
Their DPA →- Purpose
- KYC + Document Verification (DocV) for borrower identity proofing
- Location
- United States
- Data categories
- Identity, government ID images, biometric liveness
OpenAI, L.L.C.
Their DPA →- Purpose
- Document classification, OCR, and AI-assisted underwriting (Vision + chat models)
- Location
- United States
- Data categories
- Document images and extracted text — not used for training per OpenAI API DPA
Anthropic PBC
Their DPA →- Purpose
- AI-assisted document classification, OCR consensus, and underwriting copilot
- Location
- United States
- Data categories
- Document images and extracted text — not used for training per Anthropic Commercial Terms
Amazon Web Services, Inc.
Their DPA →- Purpose
- Cloud infrastructure, S3 object storage, AWS Textract structured-document OCR
- Location
- United States (us-east-1, us-west-2)
- Data categories
- All loan data at rest, document images
Neon, Inc.
Their DPA →- Purpose
- PostgreSQL managed database hosting
- Location
- United States
- Data categories
- Loan applications, user accounts, audit logs
Railway Corp.
Their DPA →- Purpose
- Application server hosting and deploy orchestration
- Location
- United States
- Data categories
- Server-process memory only — no persistent borrower data
Resend, Inc.
Their DPA →- Purpose
- Transactional email delivery (loan estimates, closing disclosures, AAN, OTP)
- Location
- United States
- Data categories
- Recipient email + email body content
Stripe, Inc.
Their DPA →- Purpose
- Subscription + metered billing for broker accounts (no borrower payments)
- Location
- United States
- Data categories
- Broker billing contact + payment-method tokens — no Borrower NPI
DocMagic, Inc.
Their DPA →- Purpose
- Compliant disclosure document generation (LE, CD, NOC) and e-signature
- Location
- United States
- Data categories
- Loan application data needed for disclosure rendering
Cloudflare, Inc.
Their DPA →- Purpose
- CDN, edge caching, WAF, and Cloudflare Tunnel for Synology NAS connectivity
- Location
- Global edge — borrower traffic routes through nearest POP
- Data categories
- Encrypted traffic in transit; metadata for performance + security
Synology Inc. + on-premise MinIO
- Purpose
- Document object storage on broker-controlled NAS
- Location
- United States (broker-owned premises, served via Cloudflare Tunnel)
- Data categories
- Document images
Sentry (Functional Software, Inc.)
Their DPA →- Purpose
- Application error monitoring
- Location
- United States
- Data categories
- Stack traces — Borrower NPI scrubbed before transmission
Questions? Contact us at legal@verispect.ai. See also the Master SaaS Agreement and Data Processing Agreement.