Sub-processor List

Regtrue uses the following third-party service providers to process data on behalf of our customers. All sub-processors have signed Data Processing Agreements (DPAs) and meet our security requirements.

Change Notifications

We update this list at least 30 days before adding new sub-processors. Subscribe to notifications by emailing support@regtrue.com.

Sub-processor	Purpose	Data Processed	Location	DPA
Vercel Inc.	Web hosting and edge network	IP addresses, request logs, cookies	EU (Frankfurt) — pinned region	Signed
Supabase Inc.	Database, authentication, storage	All customer data, user accounts, files	EU (Frankfurt)	Signed
Upstash, Inc.	Redis caching and rate limiting	Session data, rate limit counters	EU (Frankfurt)	Signed
Cloudflare, Inc.	JavaScript library CDN (cdnjs.cloudflare.com)	IP addresses (no app data — used for static assets only)	Global edge (EU PoPs preferred)	Signed
Inngest, Inc.	Durable background jobs and event orchestration	Job event payloads (may include ESG data fragments)	USA (EU SCCs)	Signed
OpenAI, L.L.C.	AI text generation and analysis	Prompts containing ESG data (not stored, not used for training)	USA (EU SCCs)	Signed
Google LLC (Gemini)	AI text generation and OCR	Prompts containing ESG data (not stored, not used for training)	EU	Signed
Anthropic PBC	AI text generation (backup / failover)	Prompts containing ESG data (not stored, not used for training)	USA (EU SCCs)	Signed
Stripe Payments Europe Ltd.	Payment processing and subscription billing	Billing information, payment cards (PCI scope outside Regtrue)	EU (Ireland) + USA (EU SCCs)	Signed
Resend, Inc.	Transactional email delivery	Email addresses, email content	USA (EU SCCs)	Signed
Functional Software, Inc. (Sentry)	Error tracking and monitoring	Error logs, stack traces, sanitised user context	EU	Signed
Google LLC (Tag Manager / Analytics)Consent-gated	Web analytics tag orchestration	Page views, anonymised event metadata (loaded ONLY after explicit `analytics` cookie consent)	USA (EU SCCs) — IP anonymisation enabled	Signed
Microsoft Corporation (Clarity)Consent-gated	Session replay for UX analysis	Anonymised session recordings with PII masking (loaded ONLY after explicit `marketing` cookie consent)	USA (EU SCCs)	Signed

AI Provider Data Handling

Our AI providers (OpenAI, Google Gemini, Anthropic) process data only for real-time inference:

Data is NOT used for model training
Prompts are NOT stored after processing
All providers have signed enterprise DPAs with data retention disabled

International Data Transfers

For sub-processors located outside the EEA (marked as "USA"), we ensure GDPR-compliant transfers through:

EU-U.S. Data Privacy Framework (where certified)
Standard Contractual Clauses (EU Commission approved)
Supplementary security measures as required

Questions?

If you have questions about our sub-processors or need documentation for your compliance needs:

Data Protection Officer

IMPACTIO TECHNOLOGY OÜ

Email: support@regtrue.com

Related Documents

Data Processing Agreement

GDPR Article 28 compliant DPA

How we handle your personal data

Trust Center

Security and compliance overview