Loading…
RegulatoryBridge engages the third-party sub-processors below to provide the Services. When we provide processor services to a customer, each sub-processor processes personal data on the customer's behalf and is bound by written terms providing protection at least as protective as our DPA. The customer's contracting entity and Data Processing Addendum determine the precise sub-processor scope.
| Sub-processor | Service | Purpose | Location | Transfer mechanism | Category |
|---|---|---|---|---|---|
| Amazon Web Services, Inc. | AWS (EC2, S3, RDS, KMS) | Primary cloud hosting and storage for customer-facing services. | EU (Ireland) primary, with US fallback | EU SCCs (Module 2) | Infrastructure |
| Vercel Inc. | Vercel | Edge runtime, image optimisation, deployment platform for marketing surface. | Global edge network (CDN) | EU SCCs + DPA | Infrastructure |
| Cloudflare, Inc. | Cloudflare (CDN, WAF, Bot Management, DNS) | DDoS protection, WAF, request routing, DNS, bot management. | Global edge network | EU SCCs + DPA | Infrastructure |
| Google LLC | Workspace (Gmail, Drive, Meet) | Internal email, document collaboration, video meetings. | EU + US | EU-US DPF + EU SCCs | Communications |
| Resend, Inc. | Resend | Transactional email delivery (account, billing, breach notifications). | US, EU region available | EU SCCs + DPA | Communications |
| Mailchimp / Intuit Inc. | Mailchimp | Marketing email (newsletters, regulatory updates) — only with consent. | US | EU SCCs + DPF | Communications |
| Twilio Inc. | Twilio (SMS, voice) | Emergency-response SMS, voice notifications for breach workflow. | Global, EU region for EU traffic | EU SCCs + DPA | Communications |
| Plausible Insights OÜ | Plausible Analytics | Privacy-friendly website analytics — only with consent. | EU (Estonia) | Within EEA — no transfer | Analytics |
| Google LLC | Google Analytics 4 | Supplementary funnel analytics — only with consent. IP truncation enabled. | US + EU | EU-US DPF + EU SCCs | Analytics |
| Sentry, Inc. | Sentry | Application error monitoring, performance traces. | EU region (Frankfurt) by default | EU SCCs | Analytics |
| HubSpot, Inc. | HubSpot CRM + Marketing Hub | Sales pipeline, contact records, marketing automation. | US + EU | EU SCCs + DPF | CRM/Sales |
| Slack Technologies LLC | Slack | Internal team communication, customer Slack-Connect channels. | US, EU data residency available | EU SCCs | Communications |
| Stripe, Inc. / Stripe Payments Europe Ltd | Stripe | PCI-DSS-compliant payment processing for subscription billing. | EU (Ireland) for EU customers, US for others | EU SCCs | Payments |
| Linear Orbit Inc. | Linear | Internal task tracking for engineering and customer support. | US | EU SCCs + DPA | Support |
| Notion Labs, Inc. | Notion | Internal knowledge base, runbooks, customer-facing onboarding handbooks. | US | EU SCCs | Support |
Before engaging a new sub-processor that will process customer personal data, we will provide at least 30 days' prior notice via email (to the contact of record on your account) and by updating this page. You may object to a new sub-processor on reasonable grounds within that window, and we will work in good faith to find a solution or, if none is workable, allow you to terminate the affected service.
See the Data Processing Addendum for the contractual terms governing sub-processor engagements. For specific questions email dpo@regulatorybridge.com.