Subprocessors / vendor register
This is the canonical public list for subprocessors handling personal data on behalf of ProSafetyMatch. It aligns with the DPA, privacy statement and the current product configuration.
Application hosting
Vercel Inc.
Web app, API, cron and static asset delivery
Region: Serverless runtime EU-oriented (Vercel region); build/CDN artefacts may differ per environment — to be confirmed per production project
Data types: HTTP metadata, request logs, application payloads, session cookies via edge
Status: Required for SaaS hosting
Database & authentication
Supabase
Storage, login and session management
Region: EU region or customer-selected Supabase project region — to be confirmed per tenant
Data types: Account data, dossier data, log entries, push tokens, sessions, auth identifiers
Status: Required for platform data
In line with the selected project and customer-configured region.
Transactional email
Resend (indien geconfigureerd) of andere e-mailprovider
Invites, confirmations and system messages
Region: Depends on configured provider — to be confirmed in production
Data types: Email address, message content (operational), delivery metadata
Status: Conditional — active when an email provider is configured
Monitoring and logging
Sentry (indien geconfigureerd) of andere monitoringprovider
Error reporting and performance monitoring
Region: Depends on Sentry organisation/region — to be confirmed
Data types: Error stack traces, request context (pseudonymised where possible), performance spans
Status: Conditional — only when `SENTRY_DSN` or comparable configuration is active
Bot protection
Cloudflare Turnstile
Protection of forms and login flows
Region: Cloudflare edge — exact processing location to be confirmed
Data types: Browser/challenge metadata, IP address (short-lived), form context
Status: Conditional — active when Turnstile keys are configured
Push ecosystem
Firebase Cloud Messaging (native) / Web Push (VAPID)
Delivery of push notifications
Region: FCM/Google infrastructure; web push via browser vendor — to be confirmed
Data types: Device/push token, generic notification text (no dossier content on lock screen), delivery metadata
Status: Conditional — active when push is technically configured
Operational notifications
Slack (indien geconfigureerd) of vergelijkbaar ops-kanaal
Technical warnings and ops alerts
Region: Depends on Slack workspace — to be confirmed
Data types: Aggregated or pseudonymous ops alerts; no customer dossier content where possible
Status: Conditional — only when an ops webhook is configured
Customer-configured webhooks
HTTPS-eindpunten van de Klant
Event flow into customer systems
Region: Determined by customer endpoint
Data types: Event payloads per customer configuration (may contain personal data)
Status: Optional per customer — not a standard PSM subprocessor in the strict sense
Processing then falls under the customer's configuration.
File and object storage
Supabase Storage (standaard) of andere gekozen backend
Uploads, dossier files and attachments
Region: Same region as Supabase project — to be confirmed per tenant
Data types: Photos, documents and dossier files linked to assignment records
Status: Required when uploads are active (`FILE_STORAGE_BACKEND`)
In line with `FILE_STORAGE_BACKEND` and the selected bucket settings.
What a buyer gets from this
- One source register for DPA and privacy.
- Clear environment dependency per vendor.
- Changes can be communicated through the DPA notice and version flow.
Related documents