We use the third parties below to operate Shrubbery. Each acts as a processor under GDPR art. 28 and is bound by a Data Processing Agreement. Adding a new sub-processor will update this list before the change takes effect; for material additions you will be notified by email and given the opportunity to object.
Supabase Inc.
- Purpose
- Authentication, Postgres database, file storage, secret vault.
- Data category
- Account, profile, handshake content, audit events, BYOK keys (encrypted).
- Region
- EU (Frankfurt / London — current project region)
- Transfer
- EU-resident — no third-country transfer.
- DPA
- supabase.com/legal/dpa
Vercel Inc.
- Purpose
- Web application hosting, edge functions, CDN.
- Data category
- Request logs (IP, user-agent), cookies in transit.
- Region
- EU regions (origin) with global edge cache.
- Transfer
- EU-region origin; edge cache is content-only.
- DPA
- vercel.com/legal/dpa
Resend, Inc.
- Purpose
- Transactional email delivery (handshake notifications, magic-link auth).
- Data category
- Recipient email address, message body, send/delivery metadata.
- Region
- United States.
- Transfer
- Standard Contractual Clauses (SCCs).
- DPA
- resend.com/legal/dpa
Inngest, Inc.
- Purpose
- Background workflow runner (notification fan-out, scheduled tasks).
- Data category
- Event payloads referencing handshake IDs and recipient IDs.
- Region
- United States.
- Transfer
- Standard Contractual Clauses (SCCs).
- DPA
- www.inngest.com/legal/dpa
Upstash, Inc.
- Purpose
- Rate limiting (Redis-backed quota state).
- Data category
- Authenticated user ID + request counters. No content stored.
- Region
- Regional Redis (EU when provisioned in EU region).
- Transfer
- EU region when configured EU — verify per deployment.
- DPA
- upstash.com/trust/dpa.pdf
Google Ireland Ltd.
- Purpose
- Aggregate, IP-anonymised web analytics for public marketing and documentation pages (Google Analytics 4). Disabled by default; only loads after explicit opt-in via the cookie banner.
- Data category
- Anonymised IP (last octet truncated), GA4 client ID, page path, referrer, UTM parameters, coarse user-agent. No authenticated user identifiers are sent.
- Region
- EU/EEA collection endpoints with onward transfer to Google LLC (United States).
- Transfer
- EU-US Data Privacy Framework (DPF) self-certification + Standard Contractual Clauses (SCCs) under Google's Controller-Processor terms.
- DPA
- business.safety.google/adsprocessorterms/
Anthropic / OpenAI / Google AI (BYOK)
- Purpose
- Smart-Paste extraction — only when you trigger it with your own API key.
- Data category
- Prompts you submit. Your key is stored encrypted in Supabase Vault.
- Region
- Determined by your nominated provider.
- Transfer
- You are the controller of your own AI provider relationship; we act as a pass-through.