Subprocessors | CraftCert

Service	Purpose	Data processed	Location
Supabase	Authentication, database hosting, and file storage	Account data, product data, formulations, labels, evidence records, session tokens	UK (AWS eu-west-2, London)
Stripe	Payment processing and subscription management	Billing details, payment card data, subscription status, customer ID	US/EU
Resend (Plus Five Five, Inc.)	Transactional email delivery	Email addresses, email content (account notifications)	US (Delaware) — EU sending region available. Operated by Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114.
Netlify	Website hosting and deployment	HTTP request metadata (IP addresses, user agents) via server logs	US/EU
GoatCounter	Privacy-focused website analytics	Aggregate page view data only — no personal data, no cookies	EU
Sentry	Error monitoring and performance tracking	Error stack traces, browser metadata, request IDs. No formulation or ingredient data.	US/EU
Upstash	Rate limiting and abuse prevention	IP addresses and user IDs (temporarily, for rate limit windows)	EU
Microsoft 365	Support mailbox + DSR-instruction inbox (support@craftcert.co.uk)	Email addresses, email content (inbound support and data-subject-request correspondence)	Ireland (EU) — Microsoft Ireland Operations Limited

Service

Purpose

Data processed

Location

Supabase

Authentication, database hosting, and file storage

Account data, product data, formulations, labels, evidence records, session tokens

UK (AWS eu-west-2, London)

Stripe

Payment processing and subscription management

Billing details, payment card data, subscription status, customer ID

US/EU

Resend (Plus Five Five, Inc.)

Transactional email delivery

Email addresses, email content (account notifications)

US (Delaware) — EU sending region available. Operated by Plus Five Five, Inc., 2261 Market Street #5039, San Francisco, CA 94114.

Netlify

Website hosting and deployment

HTTP request metadata (IP addresses, user agents) via server logs

US/EU

GoatCounter

Privacy-focused website analytics

Aggregate page view data only — no personal data, no cookies

Sentry

Error monitoring and performance tracking

Error stack traces, browser metadata, request IDs. No formulation or ingredient data.

US/EU

Upstash

Rate limiting and abuse prevention

IP addresses and user IDs (temporarily, for rate limit windows)

Microsoft 365

Support mailbox + DSR-instruction inbox (support@craftcert.co.uk)

Email addresses, email content (inbound support and data-subject-request correspondence)

Ireland (EU) — Microsoft Ireland Operations Limited

Note on US management-plane access

Several sub-processors above are operated by US-headquartered entities (Supabase, Upstash) whose engineers may exercise management-plane access to data resident in EU/UK regions for the purposes of operating, maintaining, and supporting the underlying infrastructure. Such transfers are governed by the EU Standard Contractual Clauses (2021, Module 2) and the UK International Data Transfer Addendum / IDTA in each provider's DPA. See our Data Processing Agreement Schedule 3 and Privacy Policy for full transfer-mechanism detail per sub-processor.

Changes to this list

We will update this page when we add or remove subprocessors. Material changes are notified in advance: we email all customers at least 30 days before adding a new subprocessor or changing how an existing one processes personal data. If you object to a planned change you can reply to the notification email; we'll work with you on alternatives or, where the change is unavoidable, on terminating your account cleanly (including a pro-rata refund where applicable).

Subprocessor additions that are strictly technical successors of an existing processor (for example, a new Stripe region or a Supabase infrastructure change that stays within our existing data-residency commitments) do not require a 30-day notice; we publish those as an update to this page.

Contact

Questions about our subprocessors? Contact support@craftcert.co.uk.