Sub-Processors & Data Processing Agreements

GDPR Article 28 — third-party processors engaged by {{COMPANY_NAME}} to process personal data on our behalf. Last reviewed: {{LAST_UPDATED}}.

About this page

We engage carefully selected sub-processors to deliver the service. Each sub-processor is bound by a written Data Processing Agreement (DPA) in compliance with GDPR Article 28. Where personal data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs, Module 2 — Controller to Processor, 2021/914) and, where applicable, the EU–US Data Privacy Framework as a transfer mechanism under Articles 44–49.

Signed copies of each DPA are retained in our internal compliance documentation. Enterprise customers may request access to signed copies under NDA by contacting our DPO at {{DPO_EMAIL}}.

Current sub-processors

The full list of services that process personal data on our behalf.

SP-001

Vercel Inc.

Application hosting, edge network, serverless compute, CDN.

Global (multi-region)
Data processed
  • All data transmitted to/from the application (in transit)
  • Access logs (IP address, user-agent)
Hosting / Location
Edge presence worldwide; primary compute in user-selected region.
Transfer mechanism
EU Standard Contractual Clauses (2021/914) + EU-US Data Privacy FrameworkSCC
SP-002

Neon Inc.

Managed PostgreSQL database — primary application data store.

Customer-selectable
Data processed
  • All structured application data
  • Account, organization, tenancy, deposit, property, landlord, tenant records
Hosting / Location
Region selectable at project provisioning (EU, US, Asia-Pacific).
Transfer mechanism
EU Standard Contractual Clauses (2021/914)SCC
SP-003

Calmony Pay

Payment processing, subscription billing, invoice management.

EU / EEA
Data processed
  • Billing email, organization name
  • Subscription plan, payment status (no card data stored by us)
Hosting / Location
Cardholder data is processed by Calmony Pay's PCI-DSS Level 1 environment; we never see PAN.
Transfer mechanism
EU Standard Contractual Clauses (where US sub-processors are used)SCC
SP-004

Resend Inc.

Transactional email delivery (account, invitations, alerts, digests).

United States
Data processed
  • Recipient email, recipient name
  • Email content (notifications, invitations, reports)
Hosting / Location
Email infrastructure operated in the United States.
Transfer mechanism
EU Standard Contractual Clauses (2021/914) + EU-US Data Privacy FrameworkSCC

International data transfers

Where a sub-processor stores or processes personal data outside the European Economic Area (EEA) or the United Kingdom, we rely on the following safeguards under GDPR Chapter V and the UK GDPR:

Changes to sub-processors

We will provide reasonable prior notice of the addition or replacement of any sub-processor that processes personal data. Customers may object to a new sub-processor by contacting {{DPO_EMAIL}} within 30 days of notification. Material changes will be reflected on this page and announced via email to organisation owners.

Requesting our DPA

Customers acting as data controllers can request a counter-signed Data Processing Agreement with {{COMPANY_NAME}} (incorporating the EU SCCs and UK Addendum where applicable) by contacting our DPO at {{DPO_EMAIL}}. Our standard DPA is available to all paid plans at no additional cost.

Privacy PolicyProcessing ActivitiesTerms of ServiceBack to Home