Version 1.0 — Effective date: 26 May 2026
This page lists the third-party sub-processors that may process personal data on behalf of VivaShelf as part of delivering the Service, the role each plays, the regions in which processing occurs, and the legal mechanism relied upon for any international transfer. We notify Customers at least 30 days in advance of any change to this list via in-app banner and email; Customers may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL database hosting | EU (Frankfurt) primary; US fallback | SCCs (Decision 2021/914) + encryption. |
| Vercel, Inc. | Application hosting, edge network, CDN | EU (fra1, cdg1) primary; global edge | SCCs + EU-U.S. Data Privacy Framework. |
| Resend, Inc. | Transactional email delivery | United States | SCCs + DPF. |
| Google LLC | Google Identity OAuth (opt-in sign-in) | United States | DPF + SCCs. |
| Upstash, Inc. | Redis rate-limiting and ephemeral caching | EU region preferred; US fallback | SCCs. |
| Functional Software, Inc. d/b/a Sentry | Error and performance monitoring (no session replay) | United States | SCCs + DPF. |
| Google / Apple / Mozilla push services | Web-push delivery endpoints (encrypted payload only) | Global | Contacted only when push is enabled by the user; only encrypted payload + endpoint identifier exchanged. |
| Cloudflare, Inc. | Origin shield, DDoS protection, bot mitigation | Global anycast | SCCs + DPF. |
If you wish to object to a sub-processor change, contact [email protected] within 30 days of notification. If we cannot offer a workable alternative, you may terminate the affected service with a pro-rata refund of prepaid fees.
Related: Data Processing Agreement, Privacy Policy.