| Subprocessor | Service | Data handled | Location | Transfer basis |
|---|---|---|---|---|
| Neon DPA | Managed Postgres database | All application data at rest: customer accounts, contact records, opportunities, workforce records. | AWS eu-central-1 (Frankfurt, Germany) — EEA | No transfer outside the EEA for data at rest. |
| Vercel DPA | Application hosting (runtime) and CDN | HTTP request metadata and ephemeral request payloads while serving the application. No persistent storage of customer data. | Vercel Inc. (US). Functions execute in the region closest to the user; EU regions are used for European traffic. | Vercel DPA + EU Standard Contractual Clauses (Decision 2021/914). |
| Clerk DPA | Authentication and user-identity management | User email, password hash, session tokens, MFA factors, and authentication audit log. | Clerk, Inc. (US). | Clerk DPA + EU Standard Contractual Clauses. |
| Resend DPA | Transactional email delivery | Outbound email metadata and content (recipient address, subject, body) for emails sent from the application — typically replies to inbound inquiries and customer notifications. We are evaluating an EU-region-resident transactional-email provider as part of our data-residency roadmap. | Resend, Inc. (US). | Resend DPA + EU Standard Contractual Clauses. |
| GitHub (Microsoft) DPA | Source-code hosting and backup-artifact storage | Application source code (no customer data); database backup archives produced by our scheduled GitHub Actions workflow, retained for up to 90 days. | GitHub, Inc. (US). | GitHub DPA + EU Standard Contractual Clauses. |
| Namecheap Private Email DPA | Inbound and outbound business email (collaborate@, admin@, etc.) | Email correspondence with customers, prospects, vendors. Includes any personal data contained in those emails. Used for ad-hoc business correspondence; not the platform's transactional path. | Namecheap, Inc. — mail hosted in the US. | Namecheap DPA + EU Standard Contractual Clauses. |
How we notify customers of changes
We give existing customers at least 30 days’ noticebefore adding or replacing a subprocessor that processes their data. Notice is given by email to the customer’s designated privacy contact and by updating this page. The version number and “Last updated” date at the top of this page change with every revision; the full revision history is available in our public source repository.
How to object
If you have a reasonable, GDPR-grounded objection to a new subprocessor, email admin@balanspointe.com within the notice period. We will work with you to find a resolution; if none can be reached, you may terminate the affected service as provided in our DPA.