Legal

Subprocessors

Last updated: June 29, 2026

GCPR Communications LLC LLC engages the third-party subprocessors below to deliver GCPR. Each subprocessor is bound by written terms substantially equivalent to our Data Processing Addendum and limited to the data needed for the listed purpose. We will provide reasonable advance notice of material changes to this list so customers may object on data-protection grounds.

1. Current subprocessors

ProviderPurposeDataRegionCertifications
Supabase, Inc.Managed Postgres database, authentication, object storageAll customer + client data (encrypted at rest)USA (us-east-1)SOC 2 Type II, HIPAA-ready on eligible plans
Cloudflare, Inc.Edge runtime, CDN, DNS, DDoS protectionRequest metadata, IP, TLS terminationGlobal edgeSOC 2 Type II, ISO 27001, PCI DSS
Stripe Payments, Inc.Card processing, subscription billing, Connect payoutsCardholder data (we never see PAN/CVV), billing contactUSAPCI DSS Level 1, SOC 1/2, ISO 27001
Resend, Inc.Transactional email delivery (invoices, invites, notifications)Recipient email, message metadata, delivery eventsUSASOC 2 Type II
Google LLC (Gmail API, optional)Outbound mail send when customer connects Gmail OAuthOAuth tokens, message metadata for sends initiated by the customerUSAISO 27001, SOC 2/3
Twilio, Inc. (optional)SMS notifications for event channel followersPhone number, message contentUSASOC 2 Type II, ISO 27001
Lovable (the platform hosting the application)Application hosting, build pipeline, preview environmentsApplication code, build artifacts, deploy metadataUSA / EU edgeSee provider trust page

2. Notice of changes

To receive advance notice of new or replaced subprocessors, email privacy@gcprhq.com with the subject line "subprocessor notifications". Customers on a signed DPA receive notice automatically.

© 2026 GCPR Communications LLC LLC. All rights reserved.