← Back to spendapproval.com

Sub-processors

Last updated: 19 February 2026

SpendApproval uses the following third-party sub-processors to deliver its service. Each sub-processor is bound by data processing terms no less protective than those in our Data Processing Agreement.

To receive advance notification of changes to this sub-processor list, contact [email protected] to subscribe to updates. Customers are notified at least 30 days before a new sub-processor begins processing data.

Active Sub-processors

Cloudflare, Inc.

Active
Purpose Content delivery network (CDN), serverless compute (Workers), database (D1), object storage (R2), message queues, DNS, WAF, DDoS protection Location United States (headquarters). Processing occurs at Cloudflare edge locations globally, including EU data centers. Data processed All application data including user accounts, approval requests, communication logs, and encrypted sensitive fields. Data is stored in Cloudflare D1 (database) and R2 (object storage). Transfer mechanism EU Standard Contractual Clauses (SCCs); Cloudflare DPA

Resend, Inc.

Active
Purpose Transactional email delivery (approval notifications, authentication emails, invitation emails) Location United States Data processed Recipient email addresses, recipient names, email subject lines, email content (approval details, authentication links) Transfer mechanism EU Standard Contractual Clauses (SCCs)

VoIP.ms

Active
Purpose Telephony and SMS delivery for approval escalation (outbound calls with DTMF approval, SMS notifications) Location Canada Data processed Recipient phone numbers, call metadata (duration, DTMF input, timestamps), SMS content (approval notification text) Transfer mechanism Canada has an EU adequacy decision

Infisical

Active
Purpose Secrets management (API keys, encryption keys, service credentials) Location Self-hosted on SpendApproval infrastructure (no data leaves SpendApproval-controlled systems) Data processed Application secrets and configuration values only. No end-user personal data is stored in Infisical. Transfer mechanism N/A (self-hosted; no external data transfer)

Planned Sub-processors

Stripe, Inc.

Planned
Purpose Payment processing (not yet active; planned for future billing functionality) Location United States (headquarters). EU data processing available. Data processed Payment details, billing contact information (scope to be confirmed upon activation) Transfer mechanism EU Standard Contractual Clauses (SCCs); to be confirmed upon activation Status Not yet active. Customers will be notified at least 30 days before Stripe begins processing data.

Changes to This List

This page is updated whenever a sub-processor is added, removed, or materially changes its scope of processing. Customers with an active DPA will be notified by email at least 30 days before any new sub-processor begins processing personal data.

Questions

For questions about our sub-processors or to subscribe to change notifications, contact [email protected].