Sub-processors
Last reviewed: [DATE TO FILL]
These companies process customer data on our behalf to operate Trade Management. Each has signed a Data Processing Agreement (DPA) with us. We review this list annually and announce material changes (additions, removals) to account owners via email at least 30 days in advance.
Vercel, Inc.
- Purpose
- Application hosting + edge delivery
- Data handled
- All web traffic, application logs
- Location
- United States (Washington DC, Oregon)
- Compliance
- SOC 2 Type II, ISO 27001, HIPAA-eligible BAA available
Supabase, Inc.
- Purpose
- Database, authentication, file storage
- Data handled
- All tenant data, user credentials, uploaded photos & signatures
- Location
- United States (us-east-1, AWS)
- Compliance
- SOC 2 Type II, HIPAA-eligible BAA on paid plans
Cloudflare, Inc.
- Purpose
- CDN + DDoS protection + WAF
- Data handled
- HTTP requests (metadata in transit only)
- Location
- Global edge network
- Compliance
- SOC 2 Type II, ISO 27001, PCI DSS
Stripe, Inc.
- Purpose
- Payment processing + invoicing
- Data handled
- Billing emails, customer payment methods (never seen by us)
- Location
- United States
- Compliance
- PCI DSS Level 1, SOC 1, SOC 2
Twilio, Inc.
- Purpose
- SMS delivery to your customers
- Data handled
- Recipient phone numbers, message bodies
- Location
- United States
- Compliance
- SOC 2 Type II, HIPAA-eligible BAA available
Resend, Inc.
- Purpose
- Transactional email delivery
- Data handled
- Recipient emails, message bodies
- Location
- United States
- Compliance
- SOC 2 Type II
Mapbox, Inc.
- Purpose
- Driving directions + arrival-time estimates
- Data handled
- Lat/long coordinates (no PII)
- Location
- United States
- Compliance
- SOC 2 Type II
Sentry, Inc.
- Purpose
- Application error tracking
- Data handled
- Error stack traces, user agent, IP (scrubbed of PII before send)
- Location
- United States
- Compliance
- SOC 2 Type II
Questions?
For DPA copies or specific compliance documentation, email privacy@yourdomain.com.