Spinative — Sub-processors
Effective date: 2026-05-10 Last updated: 2026-05-19
A sub-processor is a third-party service provider that processes personal data on our behalf in connection with the Spinative platform. This list discloses the sub-processors we use, what data they process, and where they are located.
We engage sub-processors only when:
- A written data-processing agreement is in place between us and the sub-processor - The sub-processor offers sufficient guarantees of compliance with GDPR Article 28 - For international transfers, appropriate safeguards (Standard Contractual Clauses or an adequacy decision) are in place
Current sub-processors
| Sub-processor | Service | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions, DNS | Account data, project content, server logs, IP addresses | United States | Standard Contractual Clauses (SCCs) |
| Clerk Inc. | Authentication, user management | Email, name, hashed password, login events, session data | United States | Standard Contractual Clauses (SCCs) |
| Supabase Inc. | PostgreSQL database, object storage | All persisted Customer Content, account data, project payloads | United States (data primary in EU AWS region: eu-north-1 (Stockholm) for our project) | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. / Stripe Payments Europe Ltd. | Subscription billing, payments | Billing name, address, VAT ID, last 4 digits of card, transaction metadata | Stripe Payments Europe Ltd. (Ireland) for EU customers; Stripe, Inc. (US) for global infrastructure | EU contract for EU customers; SCCs for US transfers |
| OpenAI, OpCo, LLC | AI image generation (gpt-image-1) | Prompts, project meta, generated outputs | United States | Standard Contractual Clauses (SCCs); enterprise tier with no-training policy |
| Replicate, Inc. | Background-removal model (rembg) | Character images uploaded for processing | United States | Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional email delivery | Recipient email, email content (subject, body) | Region: eu-west-1 (Ireland) for our project; control plane in US | Standard Contractual Clauses (SCCs) |
| Upstash, Inc. | Redis-based rate limiting | Hashed user identifier (Clerk userId), rate-limit counters | United States | Standard Contractual Clauses (SCCs) |
| Google LLC (Google Analytics 4) | Website usage analytics (only with user consent) | Anonymised IP, pageviews, time-on-site, traffic source, browser/device metadata | United States | Standard Contractual Clauses (SCCs); EU-US Data Privacy Framework |
Where data is stored
For most categories of data, the persistent store of record is Supabase (PostgreSQL + Storage), region eu-north-1 (Stockholm). The internal lawyer-brief flagged the previous "Ireland" wording as a contradiction with trust-and-security.md + customer-data-protection-faq.md which both agree on Stockholm; aligned to the canonical region 2026-05-19. The platform's compute and edge infrastructure runs on Vercel's global edge network; copies of data may be cached at edge locations worldwide for performance, but the source of truth remains in the EU.
| Data category | Primary location |
|---|---|
| Account data | EU (Supabase / Clerk EU mirror where available) |
| Project content (payloads, comments, snapshots) | EU (Supabase) |
| Generated assets (images) | EU (Supabase Storage) |
| Email recipient + content | EU during send (Resend Ireland) |
| Logs / metrics | US (Vercel observability) |
| AI prompts in transit | US (OpenAI / Replicate) |
| Website analytics (only after consent) | US (Google Analytics 4 — anonymised) |
Notification of changes
When we add a new sub-processor or change the processing locations or mechanisms of an existing one, we will:
1. Update this list and the "Last updated" date at the top 2. Notify business customers (those with an active paid plan) by email at least 30 days before the change takes effect 3. Allow customers to object to the change by terminating their subscription before it takes effect, in line with the DPA at dpa.md
Contact
For questions about our sub-processors or our use of them, contact hello@spinative.com.