ForceWeaver/ Trust

Stay informed about changes

We give at least 30 days' notice before adding or replacing a sub-processor. To subscribe to notifications, email privacy@forceweaver.com with the subject “subscribe — sub-processor updates”.

Sub-processors

This page lists the third parties (sub-processors) we engage to process customer personal data in connection with the Revsnap service, in compliance with Article 28(2)–(4) of the UK / EU GDPR.

How we manage sub-processors

  • We perform a documented vendor risk review before onboarding any sub-processor, per the Vendor Risk Management Policy.
  • We sign a DPA (and SCCs / UK IDTA where applicable) with each sub-processor.
  • We give at least {{SUB_PROCESSOR_NOTICE_DAYS}} days' notice before adding a new or replacement sub-processor.
  • You may subscribe to notifications by emailing {{DPO_EMAIL}} with the subject "subscribe — sub-processor updates".
  • You may object on reasonable, documented data-protection grounds within the notice period; if we cannot accommodate the objection, you may terminate the affected Services per the DPA.

Current sub-processors

Sub-processor Service provided Personal data categories Processing location(s)
Supabase, Inc. Postgres database (with RLS), authentication, object storage, Vault (pgsodium) for OAuth token encryption All categories of customer data: account, snapshots, Salesforce business records, audit log, OAuth tokens {{HOSTING_REGION}} (confirm against your Supabase project region)
Vercel Inc. Application hosting, edge CDN, serverless / Fluid Compute functions, cron, deployment infrastructure All traffic to/from the Service; serverless function logs (no request bodies persisted) Global edge; primary compute in the region nearest to the request
Stripe Payments Europe Ltd / Stripe, Inc. Subscription billing, payment processing Billing contact details, subscription metadata; we do not store card numbers — Stripe does EU / US (per Stripe's processing terms)
Resend Inc. Transactional email (invites, billing receipts, security notices) Recipient email address, sender, email content EU / US
Upstash, Inc. Redis for rate limiting; QStash for scheduled background-job triggers Rate-limit counters keyed by API key / user ID; queue trigger metadata (no Salesforce business data) Region configured per project (EU available)
PostHog Inc. Product analytics — consent-gated; served via a first-party /ingest proxy Pseudonymous event data only collected after the user opts in to analytics EU (configurable)

Hosting region notes

  • The primary region for the customer database is {{HOSTING_REGION}}. EU-only data residency is a roadmap item; until then, sub-processors with global edge presence (Vercel, Stripe) may transit data outside the EU/UK in the ordinary course. Where they do, the SCCs and UK IDTA apply per the DPA.

Internal staff access

In addition to the sub-processors above, named members of {{LEGAL_ENTITY}} staff have administrative access to production systems for support, billing, security, and incident response purposes. Access is least-privilege, logged in the workspace audit log, and reviewed periodically per the Access Control Policy.

Change log

Substantive changes to this page are recorded in the governance CHANGELOG under "Sub-processor change log".

Last reviewed: 2026-05-15