Who I share data with — and under what mechanism.
This page lists every third-party processor that touches personal data on philipsloth.com. Each is engaged under a Data Processing Agreement (DPA) and operates as a processor on my behalf — not an independent controller. If a vendor is added, removed, or substantively changed, the change-log at the bottom of this page records it on the date it took effect.
Current sub-processors
| Vendor | Role | Region | Transfer mechanism | DPA |
|---|---|---|---|---|
Stripe Stripe Payments Europe Ltd, Ireland; Stripe Inc., USA | Payment processing — card auth, charge, refund, dispute evidence, hosted receipt pages. | EEA + USA | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) | DPA → |
Resend Resend Inc., USA | Transactional email — contact-form replies, payment receipts, GDPR rights-request responses. | USA | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) | DPA → |
Supabase Supabase Inc., USA | Postgres database + authentication + Row-Level-Security. Stores: contact form submissions, payment_links rows, business_settings, admin_allowlist, analytics events. | EU (eu-central-1, Frankfurt) | Data resides in EU. Standard Contractual Clauses (SCCs) cover any cross-region admin access. | DPA → |
Cloudflare Cloudflare Inc., USA | Hosting (Pages), edge compute (Workers — contact, checkout, analytics), DDoS protection, DNS, R2 object storage. Logs: country, request path, user-agent (no IP retention beyond 7 days at edge). | Global edge network — request handled by nearest PoP | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) | DPA → |
International transfers
Some sub-processors are established in the United States. Transfers from the EU to those vendors are made under the EU-US Data Privacy Framework (in force since 10 July 2023), supplemented by Standard Contractual Clauses (Article 46 GDPR) where required. A copy of the SCCs in force for any specific transfer is available on request.
The Data Privacy Framework is currently the subject of legal challenge (Schrems III, pending before the Court of Justice of the European Union). If the framework is invalidated, the SCC fallback applies and I will assess whether additional safeguards are required for each transfer.
Change-log
Material changes to this list are recorded here. Active engagements affected by an addition or change are also notified by email under GDPR Art. 28(2).
- 2026-05-01 · added(initial publication)Page published. Pre-existing sub-processors (Stripe, Resend, Supabase, Cloudflare) were already disclosed in the inline privacy-notice table; this dedicated page is now the canonical list.
Contact
Questions about a specific sub-processor or the transfer mechanisms — email [email protected]. Requests for a copy of a specific DPA or SCC are also handled at this address.