# Approved Subprocessors List

**Last Updated:** March 18, 2026  
**Version:** 1.0  
**Classification:** Public

To assist in the delivery of our services, AccountScope ("we", "our", or "us") engages third-party entities as Subprocessors. These subprocessors process personal data on behalf of our customers (Data Controllers) as described in our Data Processing Addendum (DPA).

We enforce strict security and privacy standards with all our subprocessors. Every subprocessor is evaluated for UK GDPR compliance, data residency regulations, and technical security controls.

---

## 1. Core Infrastructure & Data Storage

Entity Name | Corporate Headquarters | Processing Activity / Role | Processing Location | Data Residency / GDPR Compliance
---|---|---|---|---
**Supabase, Inc.** | United States | Database Backend, Authentication & Secure Object Storage | United Kingdom (AWS London Region) | Data stored strictly in UK London Region. SOC 2 Type II compliant.
**Amazon Web Services (AWS)** | United States | Underlying Cloud Infrastructure & Backup Storage | United Kingdom (AWS London Region) | Data stored strictly in UK London Region. SOC 2 Type II, ISO 27001 compliant.
**Vercel, Inc.** | United States | Application Hosting & Serverless Edge Functions | UK & Europe | Static and dynamic route delivery. SOC 2 Type II compliant.

---

## 2. Specialized Processing Services

Entity Name | Corporate Headquarters | Processing Activity / Role | Processing Location | Data Residency / GDPR Compliance
---|---|---|---|---
**OpenAI, Inc.** | United States | Transaction Categorization & Financial Anomaly Matching | Europe / United States | Enterprise API integration governed by strict zero-data-retention (ZDR) agreements. Statements are never stored or used to train models. SOC 2 compliant.
**Resend, Inc.** | United States | Transactional Email Services (Welcome, reset links, status updates) | Europe / United States | Governed by data protection agreement (DPA). SOC 2 compliant.
**PostHog, Inc.** | United States | Application Performance & Feature Analytics | Europe | Only anonymized application usage metrics are processed. Sensitive financial data is never tracked. GDPR compliant.

---

## 3. Billing & Payment processing

Entity Name | Corporate Headquarters | Processing Activity / Role | Processing Location | Data Residency / GDPR Compliance
---|---|---|---|---
**Stripe Payments Europe, Ltd.** | Ireland | Billing Portal & Payment Transaction Processing | UK & Europe | Processes subscription billing details. Credit cards are processed directly by Stripe and never touch AccountScope servers. PCI-DSS Level 1 compliant.

---

## 4. Updates & Notification Policy

4.1. AccountScope reviews and audits subprocessors regularly.
4.2. We will notify registered administrators of subscribed accounts 30 days prior to authorized onboarding of any new subprocessor.
4.3. Customers may object to the engagement of a new subprocessor on reasonable grounds related to data protection by submitting written notice to `privacy@accountscope.app`.