Legal
Subprocessors
Last updated: March 5, 2026
About Our Subprocessors
Traceable Digital uses carefully selected third-party service providers ("subprocessors") to operate and deliver the Platform. A subprocessor is any entity that processes personal data or customer data on our behalf in the course of providing our services.
Under the General Data Protection Regulation (GDPR) and our Data Processing Agreement, we are required to maintain a list of subprocessors and to inform our customers when we engage new subprocessors or make material changes to existing ones.
Each subprocessor is bound by a data processing agreement that imposes data protection obligations no less protective than those in our own Data Processing Agreement. We conduct due diligence on all subprocessors before engagement, including assessment of their security practices, GDPR compliance, and data transfer mechanisms where applicable.
Current Subprocessors
The following third-party subprocessors are currently engaged by Traceable Digital to process personal data and customer data in the course of delivering the platform:
| Subprocessor | Purpose | Processing Location | Transfer Mechanism |
|---|---|---|---|
| Supabase, Inc. | Database hosting (PostgreSQL), user authentication, and file storage. Primary data store for all platform data. | EU (Ireland) | EU hosting — no transfer outside EEA |
| Vercel, Inc. | Application hosting, CDN edge network, and serverless function execution. | EU (primary); global edge CDN for static assets | EU-U.S. Data Privacy Framework |
| Anthropic, PBC | AI Document Intelligence — processes uploaded documents to extract product passport data. Zero-data-retention agreement in place: no data is stored or used for model training. | United States | Standard Contractual Clauses (SCCs) + zero-data-retention DPA |
| Stripe, Inc. | Payment processing and subscription billing. Processes billing contact details and payment method metadata (card last 4, expiry). Full card data is processed by Stripe and never stored by Traceable. | EU (Ireland) + United States | EU-U.S. Data Privacy Framework |
| Resend, Inc. | Transactional email delivery — account invitations, OTP codes, notifications, and supplier data request emails. | United States | Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. | Content delivery network (CDN), DDoS protection, Web Application Firewall (WAF), and DNS. Processes IP addresses and HTTP request metadata. | EU data centres preferred; global network | EU-U.S. Data Privacy Framework |
For questions about a specific subprocessor's data protection practices or to exercise your right to object, contact privacy@traceable.digital.
Notification of Changes
We will notify customers at least 30 days before engaging a new subprocessor or making a material change to an existing subprocessor. Notification will be sent to the email address associated with your account.
Right to Object
If you have a reasonable objection to a new subprocessor based on data protection grounds, you may notify us in writing at privacy@traceable.digital within 30 days of the notification. Your objection must include specific, documented reasons related to data protection.
Request Subprocessor List
The detailed list of our current subprocessors — including their purpose, data processing location, and categories of data processed — is available upon request. Please complete the form below and we will send you the current subprocessor list within one business day.
Alternatively, you can email us directly at privacy@traceable.digital.