Subprocessors List & Notification Policy
Effective: December 20, 2025
Last Updated: December 20, 2025
This page identifies third parties Cloud Commerce uses to process personal data and describes our change notification process. Read with our Privacy Policy, DPA, and Terms.
Core Subprocessors
These vendors support core Service functionality. Personal data processed depends on features used.
| Subprocessor | Service Provided | Processing Purpose | Data Categories |
|---|---|---|---|
| Cloudflare | DNS, security, CDN | Site delivery, DDoS mitigation, security | IP address, device metadata, request headers, logs |
| Supabase / Railway | Database, hosting | Data storage, backend infrastructure | Platform data, Merchant Customer data (as configured) |
| Stripe | Payment processing | Subscription billing, payment processing | Billing identifiers, transaction metadata |
| Vercel | Web hosting | Frontend hosting, performance | IP address, device metadata, request logs |
| PostHog | Product analytics | Feature usage analytics, improvement | Online identifiers, event data, device metadata |
| OpenAI | AI processing | AI-generated outputs (GPT-4o, DALL-E) | Prompts/inputs submitted to AI features, outputs |
| Anthropic | AI processing | AI-generated outputs (Claude) | Prompts/inputs submitted to AI features, outputs |
| Google AI | AI processing | AI-generated outputs (Gemini) | Prompts/inputs submitted to AI features, outputs |
| Upstash / Redis Cloud | Caching, session storage | Performance optimization, circuit breakers | Session data, cache data (temporary) |
AI Data Note:
You control AI prompt logging via Compliance settings (off/redacted/encrypted). We do NOT use your data to train AI models unless you explicitly opt-in.
User-Enabled Integrations (Not Our Subprocessors)
If you enable third-party integrations (CRMs, email tools, ad platforms), those services process data under their own terms. You're responsible for reviewing their privacy policies and obtaining required consents.
Changes to Subprocessors
We may add/replace subprocessors. Where required by law or DPA:
- We'll provide 30-day notice (update this page + email notification)
- You may object on documented data-protection grounds
- We'll work to resolve objections or offer alternatives
Security Expectations
Subprocessors must maintain:
- Access controls and least privilege
- Encryption in transit (TLS) and at rest where appropriate
- Incident notification procedures
- Confidentiality commitments
Last Updated: December 20, 2025
Entity: LaunchDS LLC (d/b/a Cloud Commerce)
Contact: [email protected]
See also: Data Processing Addendum