Subprocessors
Last updated: April 20, 2026
The third-party services that help us deliver SquareBreach. We notify customers via email at least 30 days before adding a new subprocessor that processes personal data.
Active subprocessors
| Service | Purpose | Location | Transfer |
|---|---|---|---|
| Supabase | Authentication, Postgres database, file storage | EU (Frankfurt) | Within EEA |
| Mollie B.V. | Card / iDEAL / Bancontact / Apple Pay payments | Netherlands (EU) | Within EEA |
| NOWPayments | Cryptocurrency payments | Cyprus | Within EEA / SCCs for any extra-EEA processing |
| OathNet | Upstream breach / stealer / OSINT data source | EU | Within EEA |
| Vercel | Hosting, edge network, CDN | Global edge with EU primary | Standard Contractual Clauses where applicable |
| Sentry | Error monitoring (optional, only if enabled) | EU (Frankfurt) | Within EEA |
| Resend / Postmark | Transactional email (account verification, receipts) | EU | Within EEA |
How we evaluate subprocessors
Every subprocessor is reviewed for:
- GDPR-compatible data processing terms (DPA in place).
- Encryption of personal data in transit and at rest.
- SOC 2, ISO 27001, or equivalent third-party security audits.
- Track record on incident disclosure and breach notification.
Notifications
To receive 30-day advance notice of new subprocessors, email privacy@squarebreach.com with the subject “Subprocessor notifications”.