Sub-processor List
Last updated: April 2026
In accordance with Art. 28 GDPR and our Data Processing Agreement, we publish the complete list of third-party organisations (“sub-processors”) that we engage to process personal data on behalf of our customers.
We will notify customers of any material changes to this list (additions or replacements) by updating this page and, where required by the DPA, providing advance notice. Customers who object to a new sub-processor may terminate their subscription in accordance with the Terms of Service.
For the current list of Standard Contractual Clauses and transfer mechanisms, or to request a countersigned DPA, contact dpa@vulnproscan.com.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Vercel Inc. | Cloud hosting and serverless compute (Next.js deployment) | United States | Account data, scan data, API traffic logs | EU SCCs (Module 2) |
| Supabase Inc. / PostgreSQL (self-hosted or Supabase) | Primary relational database — user records, audit logs, scan results, integration configs | United States (configurable) | Account data, audit logs, integration credentials (encrypted) | EU SCCs (Module 2) |
| Upstash / Vercel KV (Redis-compatible) | Rate limiting, session blocklist, invite code store, API key cache | United States (configurable region) | Email addresses (hashed), rate-limit counters, invite codes (hashed) | EU SCCs (Module 2) |
| Stripe Inc. | Payment processing and subscription billing | United States | Billing contact details, payment metadata (no card numbers stored by Vuln Pro Scan) | EU SCCs (Module 2) |
| SMTP Provider (operator-configured) | Transactional email — invite codes, account alerts, scan notifications | Operator-configured (e.g., SendGrid, AWS SES, Gmail) | Email addresses, invite codes | EU SCCs where applicable |
| Google LLC (Google Fonts) | Web font delivery (Plus Jakarta Sans, JetBrains Mono) loaded on page render | United States | IP address, browser User-Agent (transmitted on font requests) | EU SCCs (Module 1) |
| Slack Technologies LLC | Optional webhook notifications for scan results (user-configured integration) | United States | Scan summary data, finding counts (sent to user-configured webhook URL) | EU SCCs (Module 2) |
| Atlassian Pty Ltd (Jira) | Optional Jira integration for creating security findings as issues (user-configured) | United States / Australia | Scan finding descriptions, severity ratings (sent to user-configured Jira project) | EU SCCs (Module 2) |
| OWASP ZAP (self-hosted) | Security scanning engine — performs DAST scans on user-specified targets | Operator-controlled infrastructure (not a third-party sub-processor) | Scan target URLs, HTTP response content | N/A — self-hosted by operator |
Notes
- Operator-configured integrations (SMTP, Slack, Jira) are optional and only active when you provide credentials in your account settings. If you do not configure these integrations, no data is shared with the corresponding sub-processor.
- Google Fonts: To eliminate this data transfer entirely, you may self-host the font files. Contact us if you require a build with self-hosted fonts.
- ZAP scanning engine is self-hosted on infrastructure you or we control and is not a third-party sub-processor in the GDPR sense.
- EU SCCs referenced are the 2021 modular Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).
Questions about sub-processors?
Contact our data protection team at dpa@vulnproscan.com. For our Data Processing Agreement, visit /dpa.