The third parties that help us deliver the Service. We name them so your procurement team can review them. We notify you thirty (30) days before adding a new one.
The table below lists every entity we have engaged as a Sub-Processor under the Data Processing Addendum (§7). Each entity is bound by a written data processing agreement that imposes data protection obligations no less protective than those in our DPA. All production data is stored and processed in the continental United States.
| Vendor | Region | Service to placement.solutions | Data accessed | Contract |
|---|---|---|---|---|
| Cloudflare, Inc.cloudflare.com | Global edge, US ingress | WAF, DNS, DDoS protection, edge TLS termination | Source IP, user agent, request URL, request headers (transient at the edge, not stored long-term) | DPA + SCCs |
| Fly.io, Inc.fly.io | US (iad, ord, sjc) | Application compute and container orchestration | All in-memory request and response data while serving the request; nothing persisted by Fly outside our application volumes | DPA |
| Neon Inc.neon.tech | US-East (AWS us-east-2) | Managed Postgres for account, billing, and audit data | Account, billing, configuration, audit log records | DPA + SCCs |
| Upstash, Inc.upstash.com | US-East (AWS us-east-1) | Managed Redis for rate-limit counters, session cache, ephemeral queues | Authenticated session tokens (TTL bounded), rate-limit counters keyed by API key prefix | DPA + SCCs |
| Stripe, Inc.stripe.com | United States | Payment processing, invoicing, subscription billing | Billing contact name, billing address, payment instrument metadata, tax ID | DPA + SCCs |
| Postmark (ActiveCampaign, LLC)postmarkapp.com | United States | Transactional email delivery (account verification, invoices, security alerts) | Recipient email, message body, delivery metadata | DPA + SCCs |
| Resend, Inc.resend.com | United States | Marketing and product update email (opt-in only) | Recipient email, subscription state, message engagement metadata | DPA + SCCs |
| Functional Software, Inc. (Sentry)sentry.io | United States (US data residency tier) | Error monitoring and performance tracing | Stack traces, application breadcrumbs, browser session metadata; we scrub IPs, emails, and authentication tokens before send | DPA + SCCs |
| Axiom, Inc.axiom.co | United States (US tier) | Structured log storage and query for the API gateway and backend services | Per-call log lines (timestamp, route, key prefix, status, latency) | DPA + SCCs |
| Mintlify, Inc.mintlify.com | United States | Hosting for the public documentation site at docs.placement.solutions | Visitor IP, user agent, page views (anonymous) | DPA + SCCs |
| BetterStack (Apex Marketing s.r.o.)betterstack.com | EU and US edge | Public status page, uptime monitoring, on-call paging | Subscriber email for status notifications, uptime probe results | DPA + SCCs |
We notify customers at least thirty (30) days before adding or replacing a Sub-Processor. Notification is sent to the admin contact on file and posted on this page with the new effective date. Customers may subscribe to email notifications by writing to hunter@placement.solutions; we treat that mailbox subscription as the authoritative notification list and do not require the admin contact and the subscription contact to be the same person.
During the thirty-day notice window, customers may object to a new Sub-Processor on reasonable data protection grounds by writing to hunter@placement.solutions. If we cannot accommodate the objection within fifteen (15) days, the affected customer may terminate the relevant portion of the Service with pro-rata refund of unused prepaid fees, per DPA §7.
The vendors listed above are the only third parties with access to Customer Data in the production path. Vendors used purely for internal corporate operations (payroll, expense management, HR systems) do not receive Customer Data and are out of scope of this disclosure. If you are conducting a vendor risk assessment that requires that information, write to hunter@placement.solutions.