What a sub-processor is
Under UK GDPR and EU GDPR, a "sub-processor" is any external service we use that, in the course of running Ops2Sell, has technical access to customer data. We distinguish between sub-processors (which touch customer data) and general vendors (accounting, payroll, office tools — which don't). This page lists only the former.
Current sub-processors
The table below is the complete list. If a service you expect to see isn't here, we're not sending your data to it.
| Vendor | Purpose | Data category | Region |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge compute, static asset CDN | All customer data in transit | United States (EU / UK edge regions) |
| Supabase Inc. | Primary database (PostgreSQL) and object storage | All customer data at rest | European Union (Frankfurt) |
| Google (Firebase Authentication) | Identity provider for login, session tokens, MFA | Email, name, authentication metadata | United States / Ireland |
| Stripe Payments Europe, Ltd. | Subscription billing, invoicing, payment processing | Name, email, billing address, VAT ID, payment card (tokenized) | Ireland (EU) / United States |
| Resend Inc. | Transactional email (invitations, receipts, notifications) | Recipient email address, email content | United States |
| Upstash Inc. | Edge rate-limiting, distributed counters, webhook dedup | Hashed rate-limit keys, ephemeral counters (no payload) | European Union (Dublin) |
| Sentry (Functional Software, Inc.) | Error monitoring and performance telemetry | Error stack traces, truncated request metadata (PII scrubbed) | United States (EU data residency option) |
| Expo (650 Industries, Inc.) | Mobile app over-the-air updates, crash reports | Device OS, app version, update channel | United States |
| Google Cloud (Gemini API) | AI Copilot — insights, natural-language queries, forecasting | Prompt text and relevant data context (processed, not retained) | European Union / United States |
International transfers
Some sub-processors are located outside the UK and EEA. Where that's the case, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) plus the UK International Data Transfer Addendum (IDTA) with the relevant vendor. Copies are available on request.
How we choose sub-processors
- They must offer signed DPAs with SCC / IDTA coverage.
- They must demonstrate at least SOC 2 Type II, ISO 27001, or equivalent security assurance.
- They must be GDPR-aligned on data subject rights (access, deletion, portability).
- They must support encryption in transit and at rest by default.
Change notifications
We'll update this page within 30 days of adding or removing a sub-processor. Customers on annual contracts can opt in to email notifications when this page changes by emailing privacy@ops2sell.com. Under our DPA, you have 30 days after notification to object to a newly-added sub-processor before they receive any data.
Contact
Questions about this list, our contracts, or international transfer mechanisms — email privacy@ops2sell.com.