Legal
Subprocessors
Last updated: June 29, 2026
GCPR Communications LLC LLC engages the third-party subprocessors below to deliver GCPR. Each subprocessor is bound by written terms substantially equivalent to our Data Processing Addendum and limited to the data needed for the listed purpose. We will provide reasonable advance notice of material changes to this list so customers may object on data-protection grounds.
1. Current subprocessors
| Provider | Purpose | Data | Region | Certifications |
|---|---|---|---|---|
| Supabase, Inc. | Managed Postgres database, authentication, object storage | All customer + client data (encrypted at rest) | USA (us-east-1) | SOC 2 Type II, HIPAA-ready on eligible plans |
| Cloudflare, Inc. | Edge runtime, CDN, DNS, DDoS protection | Request metadata, IP, TLS termination | Global edge | SOC 2 Type II, ISO 27001, PCI DSS |
| Stripe Payments, Inc. | Card processing, subscription billing, Connect payouts | Cardholder data (we never see PAN/CVV), billing contact | USA | PCI DSS Level 1, SOC 1/2, ISO 27001 |
| Resend, Inc. | Transactional email delivery (invoices, invites, notifications) | Recipient email, message metadata, delivery events | USA | SOC 2 Type II |
| Google LLC (Gmail API, optional) | Outbound mail send when customer connects Gmail OAuth | OAuth tokens, message metadata for sends initiated by the customer | USA | ISO 27001, SOC 2/3 |
| Twilio, Inc. (optional) | SMS notifications for event channel followers | Phone number, message content | USA | SOC 2 Type II, ISO 27001 |
| Lovable (the platform hosting the application) | Application hosting, build pipeline, preview environments | Application code, build artifacts, deploy metadata | USA / EU edge | See provider trust page |
2. Notice of changes
To receive advance notice of new or replaced subprocessors, email privacy@gcprhq.com with the subject line "subprocessor notifications". Customers on a signed DPA receive notice automatically.
© 2026 GCPR Communications LLC LLC. All rights reserved.
