SUB-PROCESSORSUpdated 2026-06-04
Sub-processors
Third-party services DLTD uses to process customer data. Required for DPA compliance under GDPR Art. 28. Business customers receive written notice 30 days before any addition or substitution.
Supabase, Inc.
Vendor site →Service
Database (Postgres), authentication, edge functions, storage
Data Processed
All user PII (encrypted at rest), authentication credentials, broker scan records, AI audit findings, inbox findings
Region
United States (AWS US-East-1)
Vercel, Inc.
Vendor site →Service
Web app hosting (Next.js), CDN, edge runtime
Data Processed
HTTP request metadata, session cookies (server-rendered, not persisted by Vercel)
Region
United States (multiple regions)
Stripe, Inc.
Vendor site →Service
Subscription billing, payment processing
Data Processed
Email, billing address, payment method (tokenized — DLTD never sees full card numbers)
Region
United States
Resend, Inc.
Vendor site →Service
Transactional email (broker opt-out demands, verification links, breach demands)
Data Processed
Email addresses, email content (transactional only — never marketing)
Region
United States / European Union
Google LLC
Vendor site →Service
Gmail API (Inbox Audit feature — metadata only, never message bodies)
Data Processed
Gmail OAuth tokens, message headers (From, Subject, Date, List-Unsubscribe)
Region
United States
Anthropic PBC
Vendor site →Service
Claude API (LLM-powered Business admin dashboard features only; not used for consumer-tier flows)
Data Processed
Anonymized prompt content for admin-side analytics. Never user PII.
Region
United States
RevenueCat, Inc.
Vendor site →Service
iOS subscription management (App Store purchases)
Data Processed
Apple subscription identifiers, entitlement state
Region
United States
Cloudflare, Inc.
Vendor site →Service
DNS, DDoS protection, Turnstile bot mitigation on public scan form
Data Processed
HTTP request metadata, IP addresses (used for bot detection only)
Region
Global edge network
Notification ·Business and Enterprise customers can subscribe to a changelog at security@dltd.app to receive written notice of sub-processor changes.
Cross-border transfers ·Where sub-processors are located outside the EU/UK, transfers are governed by Standard Contractual Clauses (SCCs Module 2 — Controller- to-Processor, 2021/914/EU) incorporated by reference in the DLTD DPA.