Sub-processors
PostalDataPI engages the following third-party service providers to operate the service. Each is bound by a written agreement to protect personal data, including transfer mechanisms where applicable.
This list is current as of the page's last revision date. We commit to providing at least 30 days advance notice of any addition or change of sub-processor. To subscribe to change notifications, email privacy@postaldatapi.com with the subject "Sub-processor notifications."
Partners (and customers, where applicable) may object to a new sub-processor within 30 days of notice if the addition presents specific, material privacy risks. If we cannot accommodate the objection, you may terminate the underlying agreement under its termination provisions without penalty.
Current sub-processors
| Sub-processor | Purpose | Personal data | Location | Transfer mechanism |
|---|---|---|---|---|
| Stripe, Inc. and affiliates | Payment processing, partner payouts via Stripe Connect, KYC, tax-form generation (1099-NEC, W-8) | Customer billing, partner identity, contact, financial, tax ID | United States (with global affiliates) | Stripe's DPA with SCCs Module 1; SOC 2 Type II + PCI DSS Level 1 published |
| Vercel Inc. | Application hosting, edge delivery, static asset CDN | Customer technical data, partner technical data, request payloads (which may contain PII) | United States (with global edge) | Vercel's DPA with SCCs; SOC 2 Type II published |
| Neon Inc. | PostgreSQL database (application data storage) | All persisted customer and partner data | United States (with optional regional availability) | Neon's DPA with SCCs; SOC 2 Type II published |
| Sentry (Functional Software, Inc.) | Error monitoring and observability | Limited technical data; PII filtering configured | United States | Sentry's DPA with SCCs; SOC 2 Type II published |
| ImprovMX | Email forwarding for @postaldatapi.com email aliases (support@, partners@, privacy@, etc.) | Email content addressed to those aliases | France (EU) | EU-to-EU transfer for EU residents; ImprovMX DPA in effect |
| Google LLC (Workspace) | Business email infrastructure for the PostalDataPI team | Email content sent to and from the team | United States | Google Workspace DPA with SCCs |
How we manage sub-processors
- Vendor selection. Sub-processors are selected in part for their published security postures (SOC 2 Type II, PCI DSS, ISO 27001, or equivalent). We verify these certifications periodically.
- Contractual flowdowns. Each sub-processor agreement includes appropriate data protection terms — for processor relationships, GDPR Article 28-equivalent terms; for controller-to-controller relationships, appropriate safeguards.
- Cross-border transfers. Where a sub-processor is located outside the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses, the UK Addendum, or the Swiss FADP equivalent.
- Reviews. We review our sub-processor list against operational changes; major additions or replacements get the 30-day advance notice described above.
Subscribing to change notifications
Email privacy@postaldatapi.com with the subject "Sub-processor notifications" and your preferred email address.
You will be notified at least 30 days in advance of:
- Any new sub-processor added
- Any sub-processor replaced
- Any material change in the location or scope of an existing sub-processor's processing
We will not retire this notification list without giving subscribers at least 30 days notice.
Questions: privacy@postaldatapi.com.
This page mirrors the full sub-processor disclosure in the Partner Data Protection Addendum, Appendix F.