PolicyForge relies on a limited set of subprocessors to deliver the service. Each is bound by a GDPR-compliant Data Processing Agreement (DPA) and reviewed for security before integration.
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase | Database (PostgreSQL), authentication, file storage | EU (Paris) / global | View |
| Stripe | Payment processing and billing | US (with EU SCCs) | View |
| Vercel | Application hosting, serverless functions and CDN | US (iad1) — EU SCCs in place | View |
Change notification
We notify any addition, replacement, or removal of a subprocessor at least 30 days before it takes effect, by email to the administrators of each customer organisation. You may object to a new subprocessor on legitimate grounds — in which case you may terminate your subscription without penalty.
International transfers
When data is processed outside the European Union (notably by Stripe), transfers rely on the European Commission Standard Contractual Clauses, supplemented by technical measures (encryption, access controls).
Contact
For any question: contact@nagashieldsecurity.com.