Sub-processors
Version 2026-05-31 · Effective May 31, 2026
1. Our Sub-processors
To deliver Conduct Studio we engage the third-party service providers (sub-processors) listed below. Each Processes personal data only as needed to provide its function, and each is bound by a Data Processing Agreement with terms no less protective than those in our customer Data Processing Addendum (conductstudio.com/legal/dpa). We remain fully responsible to you for their performance.
2. Current List
The table below reflects our current sub-processors, their function, location, and DPA. Transfers outside the EU/EEA are protected by Standard Contractual Clauses, the EU-US Data Privacy Framework where the recipient is certified, and/or the UK/Swiss addenda, with supplementary measures.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Authentication, database, file storage, realtime | EU (AWS eu-west-1) | supabase.com/legal/dpa |
| Vercel Inc. | Application hosting, web portal, serverless functions, cron | EU region (dub1); company USA — SCCs/DPF | vercel.com/legal/dpa |
| Stripe, Inc. / Stripe Payments Europe | Payment processing, billing, tax | EU + USA (SCCs/DPF applied) | stripe.com/legal/dpa |
| Brevo SAS | Transactional email delivery | EU (France) | brevo.com/legal/dpa |
| PostHog Inc. | Product analytics (account ID, organisation ID, feature-usage events) — only with consent | EU (eu.posthog.com) | posthog.com/dpa |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing (PII scrubbed) | USA (SCCs/DPF applied) | sentry.io/legal/dpa |
| Cloudflare, Inc. | Encrypted off-site backups (R2 storage) | EU / USA (SCCs/DPF applied) | cloudflare.com/cloudflare-customer-dpa |
3. Changes & Notifications
We review our sub-processors at least annually and update this page when they change. We provide advance notice before authorising any new sub-processor to process customer personal data. To receive these notifications, email privacy@mail.conductstudio.com with the subject "Subscribe to sub-processor updates". Customers may object to a new sub-processor on reasonable data-protection grounds as described in the Data Processing Addendum.