Why this list exists

Under Article 28 of the EU and UK General Data Protection Regulation, a processor must publish or otherwise make available the list of sub-processors it engages, so customers can review the chain of providers who may handle personal data on their behalf. We maintain this page as the authoritative public list.

Active sub-processors

Vercel Inc.

Purpose: Frontend hosting and global content delivery for invoset.com and the customer dashboard.
Data accessed: Page request metadata, IP addresses (transient), authentication tokens forwarded to Supabase, basic product analytics.
Hosting region: United States, with edge points of presence globally.
Certifications: SOC 2 Type 2, ISO 27001, GDPR-aligned (DPA available).
DPA: https://vercel.com/legal/dpa
Privacy policy: https://vercel.com/legal/privacy-policy

Supabase Inc.

Purpose: Primary database (Postgres), authentication service, and object storage for generated reports and screenshots.
Data accessed: Account profile (email, name), site domains submitted, scan results, accessibility findings, certificate artifacts, audit-trail PDFs.
Hosting region: United States (US-East, Virginia) for the Invoset project.
Certifications: SOC 2 Type 2, GDPR-aligned (DPA available), HIPAA-eligible.
DPA: https://supabase.com/legal/dpa
Privacy policy: https://supabase.com/privacy

Render Services Inc.

Purpose: Hosting for the Invoset API service and the background scanner worker that runs accessibility tests.
Data accessed: All customer data routed through the API and processed by the worker, including site domains and scan output.
Hosting region: United States (US-East, Ohio) for the Invoset deployment.
Certifications: SOC 2 Type 2, ISO 27001, HIPAA-eligible, GDPR-aligned (DPA available).
DPA: https://render.com/legal/dpa
Privacy policy: https://render.com/legal/privacy

Sendinblue SA (operating as Brevo)

Purpose: Transactional email delivery for account notifications, scan completion alerts, and compliance digest emails.
Data accessed: Recipient email address, recipient name, scan summary content included in the message body.
Hosting region: European Union (primary data center: France).
Certifications: ISO 27001, GDPR-aligned (DPA available), French CNIL guidance for transactional senders.
DPA: https://www.brevo.com/legal/termsofuse/dpa/
Privacy policy: https://www.brevo.com/legal/privacypolicy/

Stripe Payments Europe, Ltd. / Stripe, Inc.

Purpose: Payment processing, subscription billing, customer portal, and tax-relevant transaction records for paid Invoset plans.
Data accessed: Billing email address, customer name, billing address, payment instrument metadata (Stripe stores card details; Invoset does not), subscription status, invoice history, and webhook event payloads.
Hosting region: United States (Stripe, Inc.) for North American customers; Ireland (Stripe Payments Europe, Ltd.) for EEA customers.
Certifications: PCI DSS Level 1, SOC 1 Type 2, SOC 2 Type 2, ISO 27001, GDPR-aligned (DPA available), CCPA-aligned.
DPA: https://stripe.com/legal/dpa
Privacy policy: https://stripe.com/privacy

Notice of changes

We will update this list before adding any new sub-processor that has access to personal data. Active customers will receive at least 30 days' advance notice by email. Customers who object to a new sub-processor for material reasons may terminate their subscription with a pro-rata refund of any prepaid amounts for the unused term, subject to the conditions in our Refund Policy.

Future additions on the roadmap

We expect to engage the following provider as the product grows. It is listed here for transparency even though it is not active yet and does not currently process customer data:

OpenAI(vision model for context-aware scan augmentation), planned for a later release. We will update this page and provide at least 30 days' prior notice to active customers before any customer data is sent to OpenAI.

Historical note: We previously contemplated LemonSqueezy as a merchant-of-record payment provider but did not engage them. Payment processing is now handled by Stripe (see Active sub-processors above).

Questions

For data-protection or sub-processor questions, email legal@invoset.com.