Skip to content
PolicyForge

Subprocessors

Subprocessor list

Last updated: June 23, 2026

PolicyForge relies on a limited set of subprocessors to deliver the service. Each is bound by a GDPR-compliant Data Processing Agreement (DPA) and reviewed for security before integration.

SubprocessorPurposeLocationDPA
SupabaseDatabase (PostgreSQL), authentication, file storageEU (Paris) / globalView
StripePayment processing and billingUS (with EU SCCs)View
VercelApplication hosting, serverless functions and CDNEU (Paris, cdg1) — global edge CDN; US SCCs in placeView
ResendTransactional and lifecycle email delivery (account, welcome, follow-up)US (with EU SCCs)View
SentryApplication error monitoring and diagnosticsUS (with EU SCCs)View
CloudflareAnti-bot protection (Turnstile) on sign-upUS (with EU SCCs)View

Change notification

We notify any addition, replacement, or removal of a subprocessor at least 30 days before it takes effect, by email to the administrators of each customer organisation. You may object to a new subprocessor on legitimate grounds — in which case you may terminate your subscription without penalty.

International transfers

When data is processed outside the European Union (notably by Stripe), transfers rely on the European Commission Standard Contractual Clauses, supplemented by technical measures (encryption, access controls).

Contact

For any question: contact@nagashieldsecurity.com.