SSylatris← Back to site

Sub-processors

Last updated: 18 May 2026 Version: 1.0

Sylatris uses the following sub-processors to provide the Service. This list is maintained in accordance with our Privacy Policy (Section 6) and Terms of Service (Section 6.5).

We will provide reasonable notice of any new or replacement sub-processors and offer Customer Organizations the right to object on legitimate grounds.

Current sub-processors

| Sub-processor | Purpose | Data processed | Location | Safeguards | |---|---|---|---|---| | Supabase Inc. | Database, authentication, file storage | All customer data (org records, invoices, expenses, documents, user accounts) | EU-Central (Frankfurt, Germany) | DPA, SOC 2 Type II, ISO 27001. Data at rest encrypted (AES-256). EU-only hosting. | | Stripe Payments Europe Ltd | Payment processing, subscription management | Billing information, email addresses, payment method tokens | EU (Ireland / Netherlands) | DPA, PCI DSS Level 1, SOC 2 Type II. No raw card data touches Sylatris servers. | | Vercel Inc. | Application hosting, serverless functions, edge network | Request data, cookies, server-side logs | Global CDN with EU edge (Frankfurt) | DPA, SOC 2 Type II. Serverless functions execute in EU (Frankfurt). Request logs retained max 30 days. | | Anthropic PBC | AI document extraction, conversational assistant | Document content (invoices, receipts), chat messages | United States | DPA, EU Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework. SOC 2 Type II, ISO 27001, ISO 42001. Zero-data-retention eligible. Inputs are not used for model training under commercial terms. | | Resend Inc. | Transactional email delivery (notifications, dunning) | Email addresses, notification content | United States | DPA, SCCs. Emails processed transiently for delivery; not stored long-term. | | Postmark (ActiveCampaign LLC) | Inbound email webhook (receipt forwarding) | Forwarded email content, attachments | United States | DPA, SCCs, SOC 2 Type II. Inbound emails processed and forwarded to Sylatris webhook; not retained by Postmark after delivery. |

Data transfer safeguards

For sub-processors located outside the European Economic Area (EEA), Sylatris relies on one or more of the following transfer mechanisms in accordance with GDPR Chapter V:

  • EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914)
  • EU-US Data Privacy Framework adequacy decision (adopted 10 July 2023) for certified US recipients
  • Supplementary technical measures including encryption in transit (TLS 1.3) and at rest (AES-256)

Changes to this list

Material changes to sub-processors will be communicated to authenticated users via email at least thirty (30) days in advance. Customers who object to a new sub-processor on legitimate data protection grounds may terminate their subscription without penalty.

Contact

For questions about sub-processors or data processing: Email: privacy@sylatris.com

Sub-processors