// legal
Sub-processors
Third-party services we use to operate SybilShield. Each is bound by a written DPA. Subscribe to change notifications (30-day advance notice).
| vendor | purpose | data | region | dpa |
|---|---|---|---|---|
| Vercel | Frontend hosting | HTTP logs, IP | USA · global edge | DPA |
| Railway | API + worker hosting | App data, logs | USA (us-west-2) | DPA |
| Supabase | Managed Postgres | All customer records | EU (Frankfurt) | DPA |
| Upstash | Managed Redis (queue) | Job payloads | EU (Frankfurt) | DPA |
| Cloudflare | CDN, DNS, WAF | Request metadata | Global edge | DPA |
| Alchemy | RPC provider | Public on-chain queries | USA | DPA |
| Stripe | Card payments (USD) | Billing email, last4 | USA + global | DPA |
| NowPayments | Crypto checkout | Wallet, invoice | EU (Netherlands) | DPA |
| Postmark | Transactional email | Email addr, subject | USA | DPA |
| GitGuardian | Secret leak scanning | Public repo content | EU (France) | DPA |
| PostHog | Product analytics | Pseudonymous events | EU (Germany) | DPA |
| Sentry | Error tracking | Stack traces, hash | USA | DPA |
Data residency summary
PRIMARY
Customer records — EU (Frankfurt). Supabase + Upstash.
EDGE
Static assets + DNS — global edge. No customer PII.
BILLING
Cards — Stripe (PCI-DSS L1). Crypto — NowPayments (EU).