Legal

Sub-processors

Effective 2026-06-06 · Last updated 2026-06-06

A sub-processor is a third-party vendor that DSP Watch engages to process personal data on behalf of our customers. This register is the authoritative list referenced by section 7 of the data processing agreement. We currently rely on 5 sub-processors. We will give at least 30 days' prior notice by email and on this page before adding or replacing any sub-processor.

Subscribe to change notices

To receive automated notice of changes to this list, email privacy@dspwatch.com with the subject line "Subscribe to sub-processor changes".

Supabase, Inc.

Vendor site

Primary application database, authentication and object storage

Data processed: Account email and hashed credentials
User profile and role metadata
Catalogue records (titles, ISRCs, UPCs, artist names)
Match records and confidence scores
Takedown notice payloads and immutable audit log
Processing location: United States (AWS us-east-1, multi-AZ)
Transfer safeguard: EU Standard Contractual Clauses + EU-US Data Privacy Framework. SOC 2 Type II.
Vendor DPA: Read DPA

Cloudflare, Inc.

Vendor site

Edge CDN, Workers API, Pages hosting, DDoS and WAF

Data processed: HTTP request metadata and headers
Visitor IP address and user-agent
Authenticated session tokens (in transit only)
API request and response payloads in transit
Marketing-site static assets
Processing location: Global edge — data centre nearest end-user
Transfer safeguard: EU SCCs + Cloudflare DPA. ISO 27001, SOC 2 Type II, PCI DSS.
Vendor DPA: Read DPA

Fly.io, Inc.

Vendor site

Headless-browser takedown workers and long-running jobs

Data processed: Takedown form payloads in transit
Captured evidence URLs and screenshots
Ephemeral browser session state (purged on job completion)
Job queue metadata
Processing location: United States and Europe — region pinned per customer where requested
Transfer safeguard: EU SCCs + Fly.io DPA. SOC 2 Type II in progress.
Vendor DPA: Read DPA

Stripe Payments Australia Pty Ltd

Vendor site

Subscription billing, payment processing, tax calculation, invoicing

Data processed: Cardholder name and billing address
Card token (DSP Watch never stores the PAN)
Last 4 digits of card and expiry
Billing email and tax identifier
Subscription, invoice and refund records
Processing location: United States, Ireland, Australia
Transfer safeguard: EU SCCs + Stripe DPA. PCI DSS Level 1, SOC 2 Type II, ISO 27001.
Vendor DPA: Read DPA

Google LLC (Gemini API)

Vendor site

AI-assisted match-confidence scoring and audio fingerprint classification

Data processed: Track titles, artist names, label name (catalogue metadata)
ISRC and UPC identifiers
Audio waveform fingerprints (non-reversible)
No end-user PII, no account credentials, no billing data
Processing location: United States and Europe (multi-region)
Transfer safeguard: EU SCCs + Google Cloud DPA. Zero-retention API mode: prompts and responses are not used to train Google models and are not retained beyond the inference window.
Vendor DPA: Read DPA

How we vet a sub-processor

Before engaging any sub-processor we complete a documented assessment covering:

independent assurance — at minimum a current SOC 2 Type II or ISO 27001 report;
a signed Data Processing Addendum with EU Standard Contractual Clauses (Module 3 for sub-processors) and UK Addendum where applicable;
a transfer impact assessment for any onward transfer outside the EU/EEA, UK or Switzerland;
a 30-day notice and objection window for our customers, as committed in the DPA.

How to object

If you have a reasonable, data-protection-based objection to a proposed new sub-processor, email privacy@dspwatch.com within the 30-day notice window. We will work with you in good faith. If we cannot resolve the concern, you may terminate the affected service and receive a pro-rata refund of any pre-paid, unused fees, as set out in section 7 of the DPA.