Subprocessors
Effective 2026-06-17
To run Brightroom(“Brightroom”, “we”, “us”), we engage a small number of third-party service providers that process personal data on our behalf. Under the EU GDPR and the Swiss revFADP these providers are processors (the GDPR also calls them subprocessors where they act under our processor agreements). This page names every one we currently use, states what it processes, where it processes it, and the safeguard that applies to any transfer outside Switzerland and the EEA. It supplements, and matches, the recipients table in our Privacy Policy(§4) and our international transfers section (§5).
Current subprocessors
Each provider below processes only the data needed for its purpose and only on our documented instructions. Follow each name for that provider’s own privacy notice.
| Provider | Purpose | Location | Transfer safeguard | Privacy notice |
|---|---|---|---|---|
| Supabase, Inc. | Authentication, Postgres database hosting | European Union (Frankfurt) / United States | SCCs + Swiss addendum; primary EU (Frankfurt) residency | Privacy notice |
| Stripe Payments Europe, Ltd. | Subscription billing, payment processing | Ireland (EU) / United States | DPF-certified, backed by SCCs | Privacy notice |
| Vercel, Inc. | Application hosting, edge delivery | European Union / United States | DPF-certified, backed by SCCs | Privacy notice |
| Resend (Plus Five Five, Inc.) | Transactional email delivery (account, billing and security messages — recipient name + email address) | United States | SCCs + Swiss addendum | Privacy notice |
| Functional Software, Inc. (Sentry) | Error and performance monitoring (diagnostic data; PII scrubbed before send) | United States | SCCs + Swiss addendum | Privacy notice |
| Upstash, Inc. | Redis-backed API rate limiting (uses the client IP as a throttle key) | European Union / United States | SCCs + Swiss addendum | Privacy notice |
This list is the authoritative version and is updated whenever the pipeline changes. Beyond these processors, we disclose personal data only to other users where you choose to use the referral programme (see the Affiliate Termsand Privacy Policy §6), and to authorities, payment-card networks, or professional advisers where the law requires it or to establish, exercise, or defend legal claims. We do not sell your personal data, and we do not share it with data brokers or advertising networks.
Data-processing agreements (Art. 28 GDPR)
Each provider above is bound by a written data-processing agreement (a “DPA”) that meets Art. 28 GDPR and Art. 9 revFADP. Among other terms, every DPA requires the provider to:
- process personal data only on our documented instructions;
- keep the data confidential and ensure its staff are bound by confidentiality;
- apply appropriate technical and organisational security measures;
- engage its own subprocessors only under equivalent obligations and with the notice we require;
- assist us with data-subject requests, security, breach notification, and data-protection impact assessments; and
- delete or return the data at the end of the engagement, save where law requires retention.
We carry out reasonable diligence before adding a provider and review our providers periodically. A copy of the relevant data-processing agreement or transfer clauses is available on request to privacy@bright-room.com.
International transfers
Some providers store or process data outside Switzerland and the EEA, notably in the United States. The “Transfer safeguard” column above shows the mechanism we rely on for each one. In summary:
- Adequacy.Under the GDPR we rely on a European Commission adequacy decision (Art. 45) where one exists; under Swiss law, adequacy is set by the Federal Council list (DSV Annex 1). For the United States this covers only recipients certified under the EU-U.S. and Swiss-U.S. Data Privacy Framework (“DPF”).
- Data Privacy Framework (DPF). Where a US provider is certified for the relevant data, the transfer rests on that certification. Stripe and Vercel are DPF-certified; we also keep Standard Contractual Clauses with them as a backstop.
- Standard Contractual Clauses (SCCs).Where a US provider is not DPF-certified for the relevant data — for example our email and error-monitoring providers — we rely on the EU Standard Contractual Clauses (Art. 46 GDPR) together with the FDPIC-recognised Swiss addendum (revFADP Art. 16(2)(d)).
- Supplementary measures. Alongside the clauses we apply encryption in transit and at rest, pseudonymisation, EU-region data residency where a provider offers it, and minimisation of what each provider receives. For US importers we hold a short transfer-impact assessment.
The EU Online Dispute Resolution platform was shut down on 20 July 2025, so we do not point you to it; for cross-border consumer matters we reference the national consumer-mediation routes named in our Terms of Service.
Changes to this list and how we notify you
When we intend to add or replace a subprocessor, we update this page first — the table above is generated from a single source of truth, so it always reflects the live pipeline. Where consent is the legal basis for the affected processing (for example a new analytics provider in the consent-gated event stream), we re-prompt for consent before that provider receives any data; you can review and change your choices at any time through the cookie controls described in our Cookie Policy. For other material changes that affect how your data is handled, we give notice by email or in-app message in line with Privacy Policy §14. We keep the effective date at the top of this page current with each change.
Records of processing and contact
We maintain an internal record of our processing activities (a record under Art. 30 GDPR and Art. 12 revFADP) that lists the controller, the purposes, the categories of data and data subjects, the recipients and subprocessors named above, the international transfers and their safeguards, and our retention periods. To ask about our records of processing, to request a copy of a provider’s DPA or transfer clauses, or to raise any other data-protection question, write to privacy@bright-room.com. The controller’s identity and postal address are in Privacy Policy §1 and on our Imprint.