Last updated: May 15, 2026
Sub-processors
This page lists the third parties (sub-processors) we engage to process customer personal data in connection with the Revsnap service, in compliance with Article 28(2)–(4) of the UK / EU GDPR.
How we manage sub-processors
- We perform a documented vendor risk review before onboarding any sub-processor.
- We sign a DPA (and SCCs / UK IDTA where applicable) with each sub-processor.
- We give at least 30 days’ notice before adding a new or replacement sub-processor.
- You may subscribe to notifications by emailing support with the subject “subscribe — sub-processor updates”.
- You may object on reasonable, documented data-protection grounds within the notice period; if we cannot accommodate the objection, you may terminate the affected Services per the DPA.
Current sub-processors
| Sub-processor | Service | Personal data categories | Location(s) |
|---|---|---|---|
| Supabase, Inc. | Postgres database (with RLS), authentication, object storage, Vault (pgsodium) for OAuth token encryption | All categories of customer data: account, snapshots, Salesforce business records, audit log, OAuth tokens | Primary hosting region (configured per Supabase project) |
| Vercel Inc. | Application hosting, edge CDN, serverless / Fluid Compute functions, cron, deployment infrastructure | All traffic to/from the Service; serverless function logs (no request bodies persisted) | Global edge; primary compute in the region nearest to the request |
| Stripe Payments Europe Ltd / Stripe, Inc. | Subscription billing, payment processing | Billing contact details, subscription metadata; we do not store card numbers — Stripe does | EU / US (per Stripe’s processing terms) |
| Resend Inc. | Transactional email (invites, billing receipts, security notices) | Recipient email address, sender, email content | EU / US |
| Upstash, Inc. | Redis for rate limiting; QStash for scheduled background-job triggers | Rate-limit counters keyed by API key / user ID; queue trigger metadata (no Salesforce business data) | Region configured per project (EU available) |
| PostHog Inc. | Product analytics — consent-gated; served via a first-party /ingest proxy | Pseudonymous event data only collected after the user opts in to analytics | EU (configurable) |
Hosting region notes
EU-only data residency is a roadmap item; until then, sub-processors with global edge presence (Vercel, Stripe) may transit data outside the EU/UK in the ordinary course. Where they do, the SCCs and UK IDTA apply per the DPA.
Internal staff access
In addition to the sub-processors above, named members of Revsnap staff have administrative access to production systems for support, billing, security, and incident response purposes. Access is least-privilege, logged in the workspace audit log, and reviewed periodically.