Subprocessors
Third-party service providers that process personal data on behalf of MultiComply
Your Rights Regarding Subprocessors
Under GDPR Article 28, you have the right to:
- Be notified 30 days before we add new subprocessors
- Object to new subprocessors (we will assess alternatives)
- Terminate your subscription if we proceed despite your objection
- Request copies of our Data Processing Agreements with subprocessors
To exercise these rights, email privacy@multicomply.com
Current Subprocessors (4)
All third-party services that access or process customer data
| Subprocessor | Service | Data Location | Data Transferred | Added | Links |
|---|---|---|---|---|---|
Supabase Inc. US-based company | Database & Authentication PostgreSQL database hosting, user authentication, file storage, backup and recovery | Primary:European Union (Germany/Ireland) Backup:United States (encrypted backups only) | International Transfer SCCs in Processor DPA Protection Mechanisms:
Technical & Organizational Measures:
| ||
Stripe, Inc. US-based company with EU infrastructure | Payment Processing Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation | Primary:European Union (Ireland) Backup:United States (encrypted backups only) | International Transfer EU-US DPF Certified Protection Mechanisms:
Technical & Organizational Measures:
| ||
Cloudflare, Inc. US-based company with EU infrastructure | Security & CAPTCHA Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets | Primary:European Union (multiple locations) Backup:Global edge network | International Transfer EU-US DPF Certified EU-Approved BCRs Protection Mechanisms:
Technical & Organizational Measures:
| ||
Resend Labs Inc. US-based company with EU infrastructure | Transactional Email Delivery Sending account notifications, password reset emails, DSAR verification emails, compliance alerts | Primary:European Union | EU Only |
Detailed Processor Information
Supabase Inc.SCCs in Processor DPA
Database & Authentication
Purpose of Processing
PostgreSQL database hosting, user authentication, file storage, backup and recovery
Personal Data Processed
All user data, generated documents, form answers, activity logs
Data Storage Locations
- Primary: European Union (Germany/Ireland)
- Backup: United States (encrypted backups only)
Transfer Safeguards (GDPR Chapter V)
- SCCs in Processor DPA
Technical & Organizational Measures:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- SOC 2 Type II certified
- HIPAA certified
- EU-based primary data storage
Legal Documentation
Stripe, Inc.EU-US DPF Certified
Payment Processing
Purpose of Processing
Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation
Personal Data Processed
Name, email address, billing address, payment card details (tokenized), transaction history, IP address
Data Storage Locations
- Primary: European Union (Ireland)
- Backup: United States (encrypted backups only)
Transfer Safeguards (GDPR Chapter V)
- EU-US DPF Certified
- SCCs in Processor DPA
Technical & Organizational Measures:
- PCI-DSS Level 1 certified (highest level)
- SOC 2 Type II certified
- Card data tokenization (raw card numbers never stored)
- Strong Customer Authentication (SCA) for EU payments
Legal Documentation
Cloudflare, Inc.EU-US DPF CertifiedEU-Approved BCRs
Security & CAPTCHA
Purpose of Processing
Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets
Personal Data Processed
IP address, browser fingerprint, user agent, request metadata
Data Storage Locations
- Primary: European Union (multiple locations)
- Backup: Global edge network
Transfer Safeguards (GDPR Chapter V)
- EU-US DPF Certified
- EU-Approved BCRs
- SCCs in Processor DPA
Technical & Organizational Measures:
- ISO 27001 certified
- SOC 2 Type II certified
- Privacy-first Turnstile (no tracking cookies)
- EU traffic primarily processed in EU data centers
Legal Documentation
Resend Labs Inc.EU Only
Transactional Email Delivery
Purpose of Processing
Sending account notifications, password reset emails, DSAR verification emails, compliance alerts
Personal Data Processed
Recipient email address, recipient name, email subject and content
Data Storage Locations
- Primary: European Union
Legal Documentation
Get Notified of Changes
We'll email you 30 days before adding new subprocessors (GDPR Article 28 requirement)
You can unsubscribe at any time. We will only send emails about subprocessor changes.
Frequently Asked Questions
Why does Supabase transfer data to the United States?▼
Supabase stores all primary data on EU servers (Germany/Ireland). For disaster recovery purposes, encrypted backups are replicated to US servers.
Transfer protections in place:
- Standard Contractual Clauses (SCCs) incorporated in Supabase DPA
- AES-256 encryption (data unreadable without keys stored in EU)
- Access controls limiting US personnel access
- Supabase is SOC 2 Type II and HIPAA certified
This transfer is protected under GDPR Chapter V via Standard Contractual Clauses incorporated in the Supabase Data Processing Agreement.
What if I object to a new subprocessor?▼
Under GDPR Article 28(2), you have the right to object to new subprocessors. Here's the process:
- We notify you 30 days before adding a new subprocessor
- You have 14 days to object by emailing privacy@multicomply.com
- We will assess alternatives and respond within 7 days
- If we proceed despite your objection, you may terminate your subscription without penalty
Can I request copies of your Data Processing Agreements?▼
Yes. As a customer, you have the right to review our DPAs with subprocessors to ensure adequate data protection.
Email privacy@multicomply.com with the subject "DPA Request" and specify which subprocessor's DPA you need.
You can also access public DPAs directly via the "DPA ↗" links in the table above.
Do you use any AI services as subprocessors?▼
No. MultiComply does NOT send your data to any AI service (Anthropic Claude, OpenAI, etc.) for document generation.
All documents are generated using template-based mail-merge technology. Your form answers are inserted into lawyer-written templates stored in our Supabase database. No AI is involved in the process.