Sub-processors & International Transfers
VendorTrace uses a small number of third-party processors to operate the service. This page lists each processor, what data they receive, where they process it, and the safeguard that applies to any transfer outside the EEA.
Change notification policy
We will notify customers at least 30 days before adding a new sub-processor or making a material change to an existing one. Notifications are sent by email to the account holder. Any customer may object in writing within 30 days of notification. If we cannot accommodate the objection without materially altering the Services, either party may terminate the affected Services with 30 days' notice. Customers on prepaid plans receive a pro-rata refund for the unused period.
AWS Cognito
DPA / Privacy policy- Purpose
- User authentication and identity management
- Data categories
- Email address, name, hashed credentials, Cognito user ID
- Location
- EU (eu-north-1, Stockholm, Sweden)
- Transfer safeguard
- No transfer outside EEA. AWS GDPR DPA applies.
AWS DynamoDB
DPA / Privacy policy- Purpose
- Primary data store for scan results, account data, and audit logs
- Data categories
- Email address, account settings, domain names submitted for scanning, scan results, IP addresses (audit logs)
- Location
- EU (eu-north-1, Stockholm, Sweden)
- Transfer safeguard
- No transfer outside EEA. AWS GDPR DPA applies.
AWS Bedrock
DPA / Privacy policy- Purpose
- AI-assisted vendor research: vendor identification, compliance evidence, report summaries
- Data categories
- Domain names and subdomain names submitted for scanning
- Location
- EU (eu-west-1, Ireland)
- Transfer safeguard
- No transfer outside EEA. AWS GDPR DPA applies.
AWS SES
DPA / Privacy policy- Purpose
- Internal notification email (bug reports, system alerts)
- Data categories
- Internal email addresses only. No customer personal data.
- Location
- EU (eu-north-1, Stockholm, Sweden)
- Transfer safeguard
- No transfer outside EEA. AWS GDPR DPA applies.
AWS Amplify / CloudFront
DPA / Privacy policy- Purpose
- UI hosting and global content delivery for the VendorTrace web application
- Data categories
- IP address and browser request metadata recorded in CloudFront access logs. No customer account or scan data is stored in CloudFront.
- Location
- EU (eu-north-1, Stockholm) primary hosting. CloudFront serves static assets via a global CDN.
- Transfer safeguard
- No customer account data transferred outside EEA. CloudFront edge delivery of static assets (HTML, JS, CSS) is a global service. AWS GDPR DPA applies.
Stripe
DPA / Privacy policy- Purpose
- Payment processing and subscription management
- Data categories
- Email address, billing name and address, payment card data (tokenised by Stripe; we do not receive card numbers). Stripe customer ID and subscription ID stored on our side.
- Location
- US (primary processing)
- Transfer safeguard
- Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914, Module 2: Controller to Processor). Stripe also participates in the EU-US Data Privacy Framework.
Tavily
DPA / Privacy policy- Purpose
- Web search API used to gather publicly available compliance evidence for vendor research (certifications, DPA URLs, trust page content)
- Data categories
- Domain names and vendor names submitted for scanning. No personal data about your organisation's users is sent.
- Location
- US
- Transfer safeguard
- Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914, Module 3: Processor to Sub-Processor).
Cloudflare
DPA / Privacy policy- Purpose
- Bot detection and CAPTCHA verification (Turnstile) on public-facing forms
- Data categories
- IP address and browser characteristics of the form submitter. No form content is sent to Cloudflare.
- Location
- US (global network; EU processing available under Cloudflare's DPA)
- Transfer safeguard
- Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914, Module 2). Cloudflare also participates in the EU-US Data Privacy Framework.
Resend
DPA / Privacy policy- Purpose
- Transactional email delivery (password resets, email verification, plan notifications, contact form submissions, design partner applications)
- Data categories
- Email address and name of the sender or recipient
- Location
- US
- Transfer safeguard
- Standard Contractual Clauses (SCCs, EU Commission Decision 2021/914, Module 3: Processor to Sub-Processor).
Google LLC
DPA / Privacy policy- Purpose
- If you connect the Google Workspace integration: read-only access to your Workspace OAuth audit reports to discover third-party apps in your environment
- Data categories
- OAuth access and refresh tokens, Workspace domain name, discovered third-party app names and client IDs. No email, calendar, Drive, or user profile data is read.
- Location
- US (API processing by Google)
- Transfer safeguard
- Standard Contractual Clauses apply. Only collected when you explicitly connect the integration. Disconnecting deletes all stored tokens immediately.
All AWS sub-processors operate under the AWS GDPR Data Processing Addendum. SCCs referenced above use the Standard Contractual Clauses approved by the European Commission on 4 June 2021 (Decision 2021/914). Module 2 (Controller to Processor) applies where LINA Solutions AB acts as data controller. Module 3 (Processor to Sub-Processor) applies where LINA Solutions AB acts as data processor on behalf of customers.
Questions about data transfers or to request a copy of the relevant SCCs: info@vendortrace.io