Subprocessors
Last updated: 2026-04-25
Steel Motion LLC ("Styrby", "we") engages the third-party sub-processors listed below to deliver our service. Under GDPR Article 28, we maintain written contracts with each sub-processor requiring them to implement appropriate technical and organizational measures to protect personal data.
Our Data Processing Agreement (DPA) grants customers general authorization for these sub-processors and includes our commitment to notify you of intended additions or changes.
| Name | Purpose | Location | DPF Certified | Categories | Data Shared |
|---|---|---|---|---|---|
| Vercel | Application hosting + CDN (web dashboard, API routes, edge functions) | United States (EU-US DPF certified) | Yes | hosting | HTTP request metadata, IP addresses, user-agent strings. No session content or credentials are stored by Vercel. |
| Supabase | Postgres database, authentication, real-time relay, and storage | United States (EU-US DPF certified) | Yes | database, auth | User accounts, session metadata, encrypted message ciphertext (zero-knowledge; Styrby cannot decrypt), subscription state, audit logs, push notification tokens. |
| Polar | Subscription billing and checkout (merchant of record) | European Union (Germany) | No | payment | Email address, billing address, subscription state. Payment method metadata is stored by Polar (Styrby never receives raw card numbers). Polar is incorporated in the EU; payment data does not leave the EU. |
| Sentry | Error monitoring and performance tracing (web + mobile + CLI) | United States (EU-US DPF certified) | Yes | error-tracking | Error stack traces, user ID (hashed), request metadata, performance spans. Session message content and API keys are explicitly excluded from Sentry payloads via beforeSend scrubbing. |
| Resend | Transactional email delivery (OTP codes, team invitations, alerts) | United States | No | Recipient email addresses, email subject and body text for transactional notifications only. No session message content is included in emails. | |
| Upstash | Redis cache for rate limiting and ephemeral session state | United States (multi-region) | No | cache | Ephemeral rate-limit keys containing hashed user IDs and IP addresses. Maximum TTL is 60 minutes. No persistent personal data is stored in Upstash. |
| Expo | Push notification delivery for the Styrby iOS and Android mobile apps | United States (EU-US DPF certified) | Yes | push | Device push tokens (APNs / FCM identifiers) and the notification payload (title and short body text). No session message content, plaintext code, or AI prompts are included in push payloads. |
About EU-US Data Privacy Framework (DPF): The DPF is a transfer mechanism approved by the European Commission in July 2023 that allows personal data to flow from the EU/EEA to certified US organizations. For sub-processors without DPF certification, Styrby relies on Standard Contractual Clauses (SCCs) or on the fact that the processor is incorporated in the EU.
This list is kept current. For questions about sub-processor changes, data processing activities, or to request notification of future updates, email [email protected].
Related: Data Processing Agreement | Privacy Policy | Retention Proof