Subprocessors
Third-party service providers that process personal data on behalf of MultiComply
Your Rights Regarding Subprocessors
Under GDPR Article 28, you have the right to:
- Be notified 30 days before we add new subprocessors
- Object to new subprocessors (we will assess alternatives)
- Terminate your subscription if we proceed despite your objection
- Request copies of our Data Processing Agreements with subprocessors
To exercise these rights, email privacy@multicomply.com
Current Subprocessors (4)
All third-party services that access or process customer data
| Subprocessor | Service | Data Location | Data Transferred | Added | Links |
|---|---|---|---|---|---|
Supabase Inc. US-based company | Database & Authentication PostgreSQL database hosting, user authentication, file storage, backup and recovery | Primary:European Union (Germany/Ireland) Backup:United States (encrypted backups only) | International Transfer Safeguards:
| ||
Stripe, Inc. US-based company with EU infrastructure | Payment Processing Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation | Primary:European Union (Ireland) Backup:United States (with SCCs) | International Transfer Safeguards:
| ||
Cloudflare, Inc. US-based company with EU infrastructure | Security & CAPTCHA Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets | Primary:European Union (multiple locations) Backup:Global edge network | International Transfer Safeguards:
| ||
Resend Labs Inc. US-based company with EU infrastructure | Transactional Email Delivery Sending account notifications, password reset emails, DSAR verification emails, compliance alerts | Primary:European Union | EU Only |
Detailed Processor Information
Supabase Inc.International Transfer
Database & Authentication
Purpose of Processing
PostgreSQL database hosting, user authentication, file storage, backup and recovery
Personal Data Processed
All user data, generated documents, form answers, activity logs
Data Storage Locations
- Primary: European Union (Germany/Ireland)
- Backup: United States (encrypted backups only)
Transfer Safeguards (GDPR Chapter V)
- Standard Contractual Clauses (EU Commission 2021/914, Module 2)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- SOC 2 Type II certified
- HIPAA certified
Legal Documentation
Stripe, Inc.International Transfer
Payment Processing
Purpose of Processing
Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation
Personal Data Processed
Name, email address, billing address, payment card details (tokenized), transaction history, IP address
Data Storage Locations
- Primary: European Union (Ireland)
- Backup: United States (with SCCs)
Transfer Safeguards (GDPR Chapter V)
- Standard Contractual Clauses (EU Commission 2021/914, Module 2)
- PCI-DSS Level 1 certified (highest level)
- SOC 2 Type II certified
- Card data tokenization (raw card numbers never stored)
- Strong Customer Authentication (SCA) for EU payments
Legal Documentation
Cloudflare, Inc.International Transfer
Security & CAPTCHA
Purpose of Processing
Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets
Personal Data Processed
IP address, browser fingerprint, user agent, request metadata
Data Storage Locations
- Primary: European Union (multiple locations)
- Backup: Global edge network
Transfer Safeguards (GDPR Chapter V)
- Standard Contractual Clauses (EU Commission 2021/914, Module 2)
- Binding Corporate Rules (BCRs) approved by EU DPAs
- ISO 27001 certified
- SOC 2 Type II certified
- Privacy-first Turnstile (no tracking cookies)
Legal Documentation
Resend Labs Inc.
Transactional Email Delivery
Purpose of Processing
Sending account notifications, password reset emails, DSAR verification emails, compliance alerts
Personal Data Processed
Recipient email address, recipient name, email subject and content
Data Storage Locations
- Primary: European Union
Legal Documentation
Get Notified of Changes
We'll email you 30 days before adding new subprocessors (GDPR Article 28 requirement)
You can unsubscribe at any time. We will only send emails about subprocessor changes.
Frequently Asked Questions
Why does Supabase transfer data to the United States?▼
Supabase stores all primary data on EU servers (Germany/Ireland). However, for disaster recovery purposes, encrypted backups are replicated to US servers.
Safeguards in place:
- Standard Contractual Clauses (EU Commission approved)
- AES-256 encryption (data unreadable without keys stored in EU)
- Access controls limiting US personnel access
- Supabase is SOC 2 Type II and HIPAA certified
You consent to this transfer by using MultiComply. You may withdraw consent, but this may affect service availability.
What if I object to a new subprocessor?▼
Under GDPR Article 28(2), you have the right to object to new subprocessors. Here's the process:
- We notify you 30 days before adding a new subprocessor
- You have 14 days to object by emailing privacy@multicomply.com
- We will assess alternatives and respond within 7 days
- If we proceed despite your objection, you may terminate your subscription without penalty
Can I request copies of your Data Processing Agreements?▼
Yes. As a customer, you have the right to review our DPAs with subprocessors to ensure adequate data protection.
Email privacy@multicomply.com with the subject "DPA Request" and specify which subprocessor's DPA you need.
You can also access public DPAs directly via the "DPA ↗" links in the table above.
Do you use any AI services as subprocessors?▼
No. MultiComply does NOT send your data to any AI service (Anthropic Claude, OpenAI, etc.) for document generation.
All documents are generated using template-based mail-merge technology. Your form answers are inserted into lawyer-written templates stored in our Supabase database. No AI is involved in the process.