Under GDPR Article 28, we are required to tell you, in advance, who we engage as a sub-processor and to give you a fair chance to object before a new one starts processing your data. The table below is the canonical list. We update it whenever we add, replace, or remove a vendor, and we email everyone subscribed to the change list at least 14 days before any new vendor goes live.
Subprocessors
The companies we trust with customer data.
A complete, public list of every third-party service that processes personal data on Veracly's behalf — what they do, where they run, and the data they touch.
Last updated: 2026-04-29
Anthropic, PBC
PurposeAI text generation for the plain-English explanations, executive summaries, and translated remediation guidance in your compliance reports.
Data categoriesTechnical violation data and a short HTML snippet of the offending element. No customer name, contact, or organisation data is sent.
Infrastructure regionUnited States (us-west-2)
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Amazon Web Services EMEA SARL (S3)
PurposeObject storage for generated PDF reports, scan artefacts, and customer-uploaded evidence.
Data categoriesGenerated PDF reports, scan output JSON, customer-uploaded evidence files, and verification artefacts.
Infrastructure regioneu-central-1 (Frankfurt) · us-east-1 (Virginia)
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Clerk, Inc.
PurposeAuthentication, session management, MFA, and the user profile UI.
Data categoriesName, email, password hash, MFA factors, login IP, device fingerprint.
Infrastructure regionUnited States (multi-region) · EU residency on request
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Resend, Inc.
PurposeTransactional email delivery — verification emails, scan-complete notifications, billing alerts, and privacy responses.
Data categoriesRecipient name, email, the message body and headers, delivery telemetry (bounces, opens).
Infrastructure regionUnited States · Frankfurt edge processing
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Stripe Payments Europe, Ltd.
PurposePayment processing, subscription billing, invoicing, and tax-document generation.
Data categoriesBilling address, name, email, VAT/ABN, card last-4, payment method tokens, transaction history.
Infrastructure regionIreland (EU) · United States (cross-border for fraud detection)
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Supabase, Inc.
PurposePrimary application database — accounts, organisations, sites, scans, findings, and the audit log.
Data categoriesAll customer profile, organisation, site, scan, and finding records — encrypted at rest with KMS.
Infrastructure regioneu-central-1 (Frankfurt) — primary · read replicas in us-east-1
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Upstash, Inc.
PurposeRedis-backed job queue (BullMQ) and cache for scan workers and rate limits.
Data categoriesJob payloads (site URL, scan parameters), rate-limit counters, idempotency keys.
Infrastructure regioneu-west-1 (Frankfurt) — primary · multi-region replicas
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
Vercel, Inc.
PurposeMarketing site and dashboard hosting, edge runtime for the Next.js app, build logs, and deployment artefacts.
Data categoriesHTTP request logs (path, status, latency), build artefacts, deployment metadata.
Infrastructure regionGlobal edge network · build & log storage in US (iad1)
Transfer mechanismEU Standard Contractual Clauses (Module 2 / 3, 2021) plus the EU–US Data Privacy Framework where the vendor is self-certified. Supplementary measures: encryption in transit (TLS 1.3) and at rest (AES-256), access logging, and contractual data-residency commitments where offered.
How we notify you about changes
When we plan to add a new sub-processor we will: (1) update this page, (2) email everyone on the subprocessor-changes mailing list, and (3) wait at least 14 calendar days before the new vendor begins processing your data, so customers have a meaningful window to object. If you object, we will work with you in good faith to find an alternative; if no alternative is feasible, you may terminate the affected service for breach with a pro-rata refund.
Stay informed
Get notified when this list changes.
Email privacy@veracly.app and ask to be added to the subprocessor-changes list. We will email you at least 14 days before any new vendor begins processing your data.