Subprocessors
Last updated: 30 May 2026
This list shows all third-party providers grafcet.io currently uses as subprocessors under Art. 28 GDPR. It is updated whenever it changes.
| Provider | Role | Location | Data processed | Transfer safeguard |
|---|---|---|---|---|
| Supabase Inc. | Auth, database, cloud storage | EU (Frankfurt) | Email, password hash, profile, licences, stored GRAFCETs | EU — no third-country transfer |
| Vercel Inc. | Hosting, CDN, cron | USA | Request logs, IP address (short-term), user agent | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Lemon Squeezy LLC | Payment (Merchant of Record) | USA | Email, transaction ID, payment status (no cardholder data) | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Resend (Plus Five Five, Inc.) | Transactional & auth email (e.g. licence keys, password reset) | USA | Email address | EU-US Data Privacy Framework + Standard Contractual Clauses |
| PostHog Inc. | Usage analytics & session replays (consent-gated) | EU (eu.i.posthog.com) | Session ID, events, URLs, session replays (passwords masked) | EU — no third-country transfer |
| Cybot A/S (Cookiebot) | Consent management | EU (DK) | Consent choices, cookie ID | EU — no third-country transfer |
| Google Ireland Ltd. | OAuth login (optional) | EU / USA | Email, Google account ID | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Tally B.V. | Contact form | EU (BE) | Email address, message content | EU — no third-country transfer |
Changes
Material changes are announced on the privacy page. Existing Pro customers may object to a new subprocessor within 30 days.
Contact
Questions or a Data Processing Agreement (DPA) on request: hi@grafcet.io.