Sub-processors
Last updated: June 16, 2026
What this is. Every third-party vendor we use to operate Wallat, what each does, where they are, and how data leaving the EEA/UK is protected. A vendor is a "sub-processor" when they handle personal data for us under contract; they can't use it for their own purposes.
If you have a paid Wallat subscription and would like email notification before we add or change a sub-processor, write to [email protected] with the subject line "Subscribe to sub-processor updates".
Current sub-processors
| Vendor | Purpose | Data category | Location | Transfer mechanism |
|---|---|---|---|---|
| Google Cloud Platform | Application hosting, object storage | All processed data (at rest) | EU / US (multi-region) | EU-US Data Privacy Framework + SCCs |
| Neon | PostgreSQL database | Account data, profile content, CRM events | EU-Central (Frankfurt) | EEA — no extra-EEA transfer |
| Tinybird | Analytics events store (heatmaps, replay metadata) | Visitor events, hashed identifiers | EU / UK | EEA / UK adequacy |
| Stripe | Payment processing | Billing data, payment method (held by Stripe, never by us) | US; Ireland entity for EU customers | EU-US Data Privacy Framework + SCCs |
| Resend | Transactional email delivery | Account email, email content | US | Standard Contractual Clauses |
| Upstash | Rate limiting and cache (Redis) | Request metadata, session tokens | US / EU (varies by Redis region) | Standard Contractual Clauses |
| Sentry | Error monitoring and stack-trace capture | Stack traces, browser metadata, scrubbed user ID | EU (Frankfurt) | EEA — no extra-EEA transfer |
| Google Analytics 4 | Marketing-site analytics (consent-gated) | Anonymised IP, page views, device class — only after consent | US / EU | EU-US Data Privacy Framework |
| Cloudflare | CDN, DDoS protection, bot management | Request metadata, IP | Global edge | Standard Contractual Clauses |
Changes
We notify subscribers (see above) by email at least 30 days before adding a new sub-processor or before a material change in scope. Where required by your DPA, you have the right to object; if we can't resolve the concern, you may terminate your subscription on the timetable allowed by your contract.
What's intentionally not on this list
- MaxMind. We use the MaxMind GeoLite2 database for IP-to-country lookups, but the lookup runs locally on our servers — no data is sent to MaxMind. They are a data source, not a processor.
- Apple, Google, and Samsung Wallet platforms. When you publish a wallet pass, our servers issue a signed pass file that the user installs in their device wallet. We don't transmit your data to those wallet platforms beyond the contents of the pass the user chose to create.
- Browser push services (Apple Push Notification service, Firebase Cloud Messaging, Mozilla Autopush). When a user opts in to push, their browser issues an opaque endpoint we send notifications to. We don't see device identity beyond that endpoint.
Contact
Questions about a sub-processor or transfer mechanism: [email protected].