Active third parties in the data-processing stack
Subprocessors
Last updated: [EDIT date]
The following third-party service providers process personal data as part of the Trailmaker platform. Changes are announced to existing customers at least 30 days in advance by email (see DPA §6).
| Name | Purpose | Region | Transfer mechanism | Legal docs |
|---|---|---|---|---|
| Supabase (Inc.) | Postgres-Datenbank, Authentifizierung, Realtime, Edge Functions, Storage | EU (Frankfurt) | No third-country transfer (EU/EEA only) | Documents |
| Vercel (Inc.) | Frontend-Hosting (Next.js), Edge-CDN, serverlose API-Routen | EU + global CDN | Certified under EU-US Data Privacy Framework (DPF) | Documents |
| Google Cloud (Google Ireland Limited) | Engine-Hosting auf Cloud Run (europe-west1), Vertex AI für Gemini-Router | EU (Belgium, europe-west1) | Certified under EU-US Data Privacy Framework (DPF) | Documents |
| Anthropic (PBC) | Claude Sonnet 4 für Strategie-Outputs (Prompt + Completion) | USA | Standard Contractual Clauses (SCC, 2021) + TIA | Documents |
| Stripe (Payments Europe Limited) | Billing, Zahlungsabwicklung, Rechnungserstellung, Webhooks | EU (Irland) | Certified under EU-US Data Privacy Framework (DPF) | Documents |
| Resend (Resend, Inc.) | Transaktionale + Onboarding-E-Mails (Welcome, Day-3-Check-in, Day-6-Conversion). Supabase-Auth-E-Mails laufen separat. | EU (Domain trailmaker.app in EU-Region verifiziert) | No third-country transfer (EU/EEA only) | Documents |
| Meta Platforms Ireland Limited | Meta-Pixel + Conversions API (Ad-Attribution, Conversion-Tracking, Custom-Audience-Aufbau). Erst nach Einwilligung im Consent-Banner geladen. Verarbeitet IP, User-Agent, _fbp/_fbc-Cookies sowie für eingeloggte Nutzer gehashte Identifier (E-Mail, externe User-ID, Name, Land aus Rechnungsdaten). | EU (Irland) als Vertragspartner; Daten-Export an Meta Platforms, Inc. (USA, Muttergesellschaft) | DPF + SCC fallback | Documents |
| PostHog (PostHog, Inc.) | Produkt-Analytics, Session-Replay (nur identifizierte Nutzer, 30%-Sample, alle Inputs maskiert). Erst nach Einwilligung im Consent-Banner geladen. | EU (eu.posthog.com) | No third-country transfer (EU/EEA only) | Documents |
| Sentry (Functional Software, Inc.) | Fehler- und Performance-Monitoring (Stacktraces, anonymisierte Request-Daten — sendDefaultPii=false, Header-Scrub auf authorization/cookie/set-cookie). | USA (Sentry Cloud) | Certified under EU-US Data Privacy Framework (DPF) | Documents |
Changes
When we add new subprocessors or replace existing ones, we notify registered Agency and Studio customers by email at least 30 days before they take effect. In this case the Customer has an extraordinary right of termination under § 26 BDSG if the replacement would be unreasonable for them.