The full list, always current.
Every third party that touches your data, what they do with it, and the region they sit in. Material changes are emailed to every customer at least 30 days before the new sub-processor goes live.
Active sub-processors.
The table is exhaustive. If a vendor is not on this list, they do not see customer data. Each entry maps to a Data Processing Agreement signed under Article 28(2) GDPR; copies are available to enterprise customers on request.
| Sub-processor | Purpose | Data categories | Region |
|---|---|---|---|
| Google Cloud Platform DPA | Compute (Cloud Run), event ingestion + analytics storage (BigQuery), event queue (Pub/Sub), scheduled jobs (Cloud Scheduler), object storage (Cloud Storage). | Tag-monitoring events, session pseudonymous IDs, application logs, BigQuery query metadata. | Per-tenant residency: asia-south1 (Mumbai), europe-west1 (Belgium), us-central1 (Iowa), australia-southeast1 (Sydney). |
| Supabase DPA | Application Postgres database — tenant, workspace, user, API-key, alert-config, audit-log tables. | Account data (name, email, org), API key bcrypt hashes, audit-log entries. | ap-south-1 (Mumbai). |
| Clerk DPA | Authentication and session management for the dashboard, accounts, and admin surfaces. JWT issuance, MFA, OAuth providers. | Email, name, profile picture URL, Clerk session metadata, MFA enrolment state. | US (us-east-1) with edge points worldwide. |
| Paddle.com Market Ltd DPA | Merchant of Record. Subscription billing, payment processing, global tax (VAT/GST/sales tax) collection and remittance, invoicing, dunning. PCI DSS Level 1. | Billing email, billing address, transaction amount, tax jurisdiction. We never see card numbers. | UK + EU (Paddle.com Market Ltd is the legal entity). |
| Sentry DPA | Application error monitoring and source-map symbolication for the marketing, dashboard, auth, and admin Next.js apps and the backend Node service. | Stack traces, request URL, user-agent, anonymised user ID. PII scrubbed at the SDK before transmission. | EU (Frankfurt) or US per project; TagDrishti uses US ingest. |
| Resend DPA | Transactional email delivery: alerts, password resets, billing notices, weekly digests. | Recipient email, message subject, message body, send/delivery status. | US (us-east-1). |
| Cloudflare DPA | CDN, DNS, DDoS mitigation, WAF, Worker proxy in front of Cloud Run. TLS termination at edge. | Request metadata (IP address, user-agent, URL path, response status). No request bodies cached. | Global edge network; data centre nearest to the visitor. |
| Vercel DPA | Edge hosting for the marketing site, dashboard, auth, admin, and status apps. Serverless function execution for ISR and route handlers. | Request metadata (IP address, user-agent, URL path), function logs (no request bodies retained). | Global edge network; primary regions iad1 (US East) and bom1 (Mumbai) per project. |
| Upstash DPA | Redis caching layer for rate limits, idempotency keys, and short-lived dedup state. | Hashed identifiers, rate-limit counters, opaque keys. No PII. | Per-tenant region matched to the application region. |
Notification cadence.
Under Article 28(2) you have a right to object to the addition of a new sub-processor. We notify by email at least 30 days before any new sub-processor begins processing customer data. If you object, we will work with you to find an alternative or you may terminate the relevant subscription with pro-rata refund.
Past changes.
- 30 April 2026 — initial publication. Existing sub-processors above were already disclosed in /privacy §5 at signup; this page becomes the canonical reference going forward.
Questions.
Sub-processor questions, DPA copies, or audit reports: [email protected]. Mark the subject “sub-processor / [vendor]” for fastest routing.