Last updated: May 2026 · The third parties Provlyn uses to deliver its service
A sub-processor is a third party that Provlyn engages to process personal data on our behalf. They only ever act on our written instructions and on the limited scope necessary to deliver the service.
Each sub-processor on this list has been assessed for security, contractual terms, and lawful transfer mechanisms. Where the sub-processor handles personal data, a Data Processing Agreement (DPA) is in place. Where the sub-processor receives only cryptographic hashes or other non-personal data, a DPA is not required.
| Service | Purpose | Data processed | Location | Transfer basis | DPA |
|---|---|---|---|---|---|
Render Render Services Inc. (United States) | Backend application hosting and PostgreSQL database | Account data, vault metadata, deposit metadata, access logs, security event log | Frankfurt, Germany (EU) | EU hosting; US parent — SCCs in place | Signed |
Amazon Web Services (S3) Amazon Web Services EMEA SARL | Storage of deposited files | Uploaded files, file metadata | Stockholm, Sweden (EU) | EEA storage; no transfer outside EEA | Signed |
Vercel Vercel Inc. (United States) | Frontend hosting and edge delivery | Request logs (IP, user agent) — short-term operational only | Global edge; primary US | US transfer — SCCs and UK IDTA | Signed (scope-limited; full scope on Pro plan upgrade pre-launch) |
Paddle Paddle.com Market Limited (United Kingdom) | Payment processing as Merchant of Record | Name, email, billing address, transaction history, tokenised payment method | United Kingdom and global | UK and EU — adequacy decision applies | In progress (response awaited) |
Resend Resend Inc. (United States) | Transactional email delivery | Recipient email address, message content, delivery status | United States | US transfer — SCCs and UK IDTA | Signed |
Sentry Functional Software, Inc. dba Sentry (United States) | Application error monitoring | Error events, request context, may incidentally include user IDs | Frankfurt, Germany (EU region) | EU region selected; US parent — SCCs in place | Signed |
GoDaddy GoDaddy.com, LLC (United States) | Domain registration and email aliases | Inbound and outbound email metadata for provlyn.com aliases | United States | US transfer — SCCs and UK IDTA | Signed |
GitHub GitHub, Inc. (United States) | Source code repository | No production personal data; source code only | United States | No personal data in scope | Not applicable |
UptimeRobot UptimeRobot Service Provider Limited (United Kingdom) | Uptime monitoring of public health endpoints | No personal data — only public endpoint reachability | United Kingdom | No personal data in scope | Not applicable |
Have I Been Pwned Superlative Enterprises Pty Ltd (Australia) | Compromised password breach check during registration and password change | First 5 characters of SHA-1 password hash (k-anonymity); no password or identity transmitted | Australia (Cloudflare global edge) | No personal data in scope | Not applicable |
FreeTSA freetsa.org | RFC 3161 trusted timestamps for deposit certificates | SHA-256 file hash only — no personal data, no file contents | Switzerland | No personal data in scope | Not applicable |
AlfaTrust AlfaSign (Romania, EU) | Qualified eIDAS timestamps (per-deposit and daily access-log anchoring); Qualified Trust Service Provider on the EU Trusted List | Cryptographic hash only — no personal data, no file contents | Romania (EU) | No personal data in scope | Requested |
OpenTimestamps and Bitcoin network Public protocol and decentralised network | Blockchain anchoring of cryptographic hashes | SHA-256 file hash only — no personal data, no file contents | Decentralised (public) | No personal data in scope | Not applicable |
Where personal data is transferred outside the United Kingdom or European Economic Area, Provlyn relies on the following safeguards as required by Article 46 of the UK and EU GDPR:
Where a sub-processor receives only cryptographic hashes (FreeTSA, AlfaTrust, OpenTimestamps, Have I Been Pwned), no personal data leaves Provlyn and these safeguards are not engaged.
Provlyn may add, replace, or remove sub-processors as the service evolves. We update this page promptly when changes occur.
We do not currently send proactive email notifications of sub-processor changes to account holders. Customers with a contractual right to advance notice may subscribe by emailing privacy@provlyn.com and we will notify them by email at least 14 days before any new sub-processor begins processing their personal data.
Where a sub-processor change presents a material risk, we will publish a notice on this page and, where required by law, notify affected users directly.
If you have questions about any sub-processor, or wish to object to a specific sub-processor handling your data, contact privacy@provlyn.com.
Where an objection cannot be reasonably accommodated without affecting Provlyn's ability to deliver the service, we will work with you to find an alternative, which may include termination of your subscription with a pro-rata refund.