Subprocessors

Last updated: 2026-06-13

SoundAssist engages the following third-party services to deliver the product. Each one processes a defined slice of user data on our behalf under a written Data Processing Agreement (GDPR Article 28). New subprocessors will be listed here before they go into production. Entries marked Inactive are integrated but currently switched off in code, so no data flows to them today.

For questions, contact info@soundassist.online.

Supabase

Purpose: Authentication, database (Postgres), realtime, file storage.
Data types: Account credentials, User-generated content, Session metadata
Location: EU (Frankfurt)
Compliance: ISO 27001 · SOC 2 Type II · GDPR DPA

Vercel

Purpose: Application hosting, edge network, request logs, plus consent-gated, cookieless product analytics (page views + funnel events).
Data types: IP addresses (logs), Request URLs, Performance metrics, Aggregate page views, Product funnel events
Location: US + EU (multi-region)
Compliance: ISO 27001 · SOC 2 · GDPR DPA

Cloudflare R2 + CDN

Purpose: Object storage for audio + image files; content delivery.
Data types: Uploaded audio (masters, encodes), Track artwork, Profile images
Location: EU region (bucket jurisdiction); CDN served from the closest edge
Compliance: ISO 27001 · SOC 2 Type II · GDPR DPA · EU-U.S. Data Privacy Framework

Cloudflare Turnstile

Purpose: Bot / abuse protection (CAPTCHA challenge) on anonymous forms — signup, project intake, mastering intake, and public feedback.
Data types: IP address (bot scoring only, not stored by us), Browser challenge signals
Location: Global (Cloudflare edge)
Compliance: ISO 27001 · SOC 2 Type II · GDPR DPA · EU-U.S. Data Privacy Framework

StripeInactive

Purpose: Subscription billing, payment processing, invoice generation. Not yet live — activates when paid subscriptions launch; no billing data is processed today.
Data types: Email, Last 4 of card, Billing address, Transaction history
Location: US + EU (Stripe Atlas EU)
Compliance: PCI DSS Level 1 · ISO 27001 · GDPR DPA · SCC

Resend (Resend.com)

Purpose: Transactional email delivery (signup confirm, password reset, magic link, invites, notifications).
Data types: Recipient email, Email body, Delivery + bounce events
Location: US + EU
Compliance: GDPR DPA · SOC 2 Type II in progress

OpenAIInactive

Purpose: Whisper API for audio transcription plus GPT-4o-mini for session summaries (opt-in feature). Not yet live — transcription is disabled by feature flag, so no audio is sent today.
Data types: Audio clip submitted for transcription, Generated transcript text, Generated summary text
Location: US
Compliance: SOC 2 · GDPR DPA · API tier explicitly excludes training on submitted content

Sentry

Purpose: Error monitoring + crash reports.
Data types: Stack traces, Route paths (no PII), Browser version, Build commit SHA
Location: EU (Germany / Frankfurt — *.ingest.de.sentry.io)
Compliance: ISO 27001 · SOC 2 Type II · GDPR DPA · PII scrubbing enabled on our side (sendDefaultPii=false)

LiveKit Cloud

Purpose: Real-time audio/video for collaboration rooms (only active during a session).
Data types: Audio stream (ephemeral, not recorded server-side by default), Session metadata, Peer connection metrics
Location: Auto-located (closest region); per-room regional binding available
Compliance: SOC 2 Type II · GDPR DPA · Streams are end-to-end transit-encrypted

Notifications of changes

To be notified by email at least 30 days before a new subprocessor is added, send a request to info@soundassist.online with the subject line subprocessor-notify.

Cross-border transfers

Subprocessors located outside the EEA are bound by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework. Audio + collaboration data hosted on Supabase is in the EU (Frankfurt). Object storage (Cloudflare R2) is auto-located but always within the EU region pool for EU originators.

Changes

2026-06-13 — Added Cloudflare Turnstile (bot protection). Corrected Sentry region to EU (Frankfurt). Marked Stripe + OpenAI as not-yet-live. Updated transfer-framework wording (EU-U.S. Data Privacy Framework).
2026-05-25 — Initial publication.