Subprocessors
Third-party service providers engaged in processing limited customer personal data.
Last Updated: 16 September 2025
Change Management & Notification
We update this list upon engaging or removing a subprocessor. For materially new subprocessors that process personal data, we aim to provide at least 15 days prior notice (via email or dashboard) to customers with a current DPA before activation, enabling objections per the DPA.
Current Subprocessors
| Name | Purpose | Data Types | Primary Location | DPA / Terms | Status | Last Review |
|---|---|---|---|---|---|---|
| Vercel | Application hosting & edge delivery | Runtime logs, error traces, minimal request metadata | USA / Global | Provider Standard DPA | Active | 2025-08-01 |
| Stripe | Payment processing | Billing email, transaction metadata (no full card data stored by us) | USA / EU | Stripe Services Agreement & DPA | Active | 2025-08-01 |
| Firebase (Google) | Authentication & database | Auth identifiers, user profile metadata | Global (region selection) | Google Cloud Data Processing Addendum | Active | 2025-08-01 |
| Google Analytics | Product & usage analytics | Aggregated event data, pseudonymous identifiers | Global | Google Analytics Data Processing Amendment | Active | 2025-08-01 |
| Vercel Analytics | Performance monitoring | Performance timings, aggregated metrics | Global | Vercel DPA | Active | 2025-08-01 |
All subprocessors are evaluated for security posture, data protection commitments, and need-to-know scope minimization.
Request More Information
For security questionnaires or clarification about any subprocessor, contact alex@zuvohq.com. Include your account identifier and justification for the request.
Disclaimer
This list is provided for transparency and does not itself constitute a contractual commitment. Binding terms are contained in the Client Agreement, Terms of Service, and Data Processing Agreement.