1. List of sub-processors
In accordance with the DPA (Article 5), Walityk publishes here the up-to-date list of sub-processors we rely on to provide the service.
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Edge worker (collection), KV (24h deduplication), Queues (forwarding), Pages (dashboard hosting) | Global network, processing close to the end user · SCC 2021 + EU-US DPF | TLS encryption, Cloudflare data processing addendum |
| Supabase Inc. (via Supabase EU) | Postgres database, authentication, Realtime | Frankfurt, Germany — European Union · No transfer outside the EU | AES-256 at-rest, RLS, encrypted backups |
| Stripe Payments Europe, Ltd | Payment processing and billing | Ireland (EU headquarters), technical processing in the United States · SCC 2021 + EU-US DPF | PCI-DSS Level 1, card data out of Walityk’s scope |
| Resend, Inc. | Sending transactional emails (magic link, billing alerts) | United States · SCC 2021 | TLS encryption, log retention limited to 30 days |
| Functional Software, Inc. (Sentry) | Application error reporting (best-effort, optional per environment) | United States · SCC 2021 + EU-US DPF | No plaintext PII sent to Sentry — only technical messages + minimal application context (path, HTTP method) |
2. Change notification procedure
Any addition, removal or replacement of a sub-processor is subject to:
- an update to this page at least 30 days before taking effect;
- a notification email to the GDPR contact address of each active client.
The client may object to the change by terminating the contract without penalty within 30 days of the notification.
3. Subscribing to notifications
Notifications are sent automatically to the email of the organisation’s owner account. To add a separate GDPR recipient (internal DPO, legal), contact privacy@walityk.com.