// legal
Sub-processors
Third-party services we use to operate SybilShield. Each is bound by a written DPA. Subscribe to change notifications (30-day advance notice).
| vendor | purpose | data | region | dpa |
|---|---|---|---|---|
| Vercel | Frontend hosting | HTTP logs, IP | USA · global edge | DPA |
| Railway | API + worker hosting | App data, logs | USA (us-west-2) | DPA |
| Supabase | Managed Postgres | All customer records | EU (Frankfurt) | DPA |
| Upstash | Managed Redis (queue) | Job payloads | EU (Frankfurt) | DPA |
| Cloudflare | CDN, DNS, WAF | Request metadata | Global edge | DPA |
| Alchemy | RPC provider | Public on-chain queries | USA | DPA |
| Postmark | Transactional email | Email addr, subject | USA | DPA |
| GitGuardian | Secret leak scanning | Public repo content | EU (France) | DPA |
| PostHog | Product analytics | Pseudonymous events | EU (Germany) | DPA |
| Sentry | Error tracking | Stack traces, hash | USA | DPA |
Data residency summary
PRIMARY
Customer records — EU (Frankfurt). Supabase + Upstash.
EDGE
Static assets + DNS — global edge. No customer PII.
BILLING
None. SybilShield is a free public good — no payment processors, no billing data.