Sub-processors

Who processes your data on our behalf.

Every third party we use to deliver Assembyl is listed here with the purpose, data categories, residency, transfer mechanism, and audit posture. We notify tenants at least 30 days before adding a new sub-processor.

Sub-processor

Stripe

Legal entity: Stripe Payments Europe Ltd. (Dublin, IE) for EU tenants. Stripe, Inc. (Delaware, US) for non-EU tenants.
Purpose: Payment processing — Stripe Connect (tenant payouts to their bank accounts), Stripe Billing (Assembyl subscription charges), and Stripe Checkout (member-facing payment UI).
Data processed: Member name and email, payment instrument tokens (no raw card data — handled by Stripe.js), payment amounts and metadata, IP address (fraud detection), org legal name and bank details (Connect KYC).
Data residency: EU (Ireland) for EU tenants; US for US tenants. Processing region is selectable per Stripe account.
Transfer mechanism: SCCs (Commission Decision 2021/914/EU) with supplementary measures; EU-US DPF certified.
Audit / assurance: SOC 1 Type II, SOC 2 Type II, ISO 27001, PCI DSS Level 1.
Notes: Stripe is itself a controller for fraud, AML, and KYC processing — the DPA carves these out.

Sub-processor

MongoDB Atlas

Legal entity: MongoDB Limited (Dublin, IE) for EU tenants.
Purpose: Primary application database — all tenant data collections (members, finance records, attendance, documents, audit logs).
Data processed: Members, finance records, attendance, document metadata, audit logs, password hashes (argon2id), MFA secrets, encrypted signing keys.
Data residency: EU regions (e.g. aws-eu-west-1 / gcp-europe-west1). Production cluster region is set during deployment and reflected in the binding DPA.
Transfer mechanism: SCCs with EU-US DPF.
Audit / assurance: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA-ready.
Notes: Database-level encryption at rest is enabled by default on Atlas M10+. Special-category data (GDPR Art. 9) is out of scope for the standard contract — separate Art. 9-permitted basis required.

Sub-processor

Cloudinary

Legal entity: Cloudinary, Ltd. (Israel) with EU presence.
Purpose: Image CDN — member avatar photos and organisation branding logos.
Data processed: Image binaries (photos that may identify members), filenames, URLs, upload metadata.
Data residency: Multi-region CDN; primary storage configurable.
Transfer mechanism: Israel has an EU adequacy decision (Commission Decision 2011/61/EU, renewed 2024). No SCCs required for EU-to-Israel transfers.
Audit / assurance: SOC 2 Type II, ISO 27001, ISO 27018.
Notes: Israel adequacy is under periodic review. If revoked, we will implement SCCs and consider migration to an EU-primary image CDN.

Sub-processor

Brevo

Legal entity: Sendinblue SAS (Paris, FR) — trading as Brevo.
Purpose: Transactional email — invitations, password resets, receipt notifications, donation acknowledgements, expense notifications, plan-change confirmations.
Data processed: Recipient name and email, message body (may contain member names, amounts, organisation names, transaction IDs, signed links).
Data residency: EU (France). Brevo is chosen over US-based alternatives specifically for the in-region processing path.
Transfer mechanism: EU-to-EU — no cross-border transfer mechanism required for the primary processing path.
Audit / assurance: ISO 27001, SOC 2 Type II.

Sub-processor

Google Cloud Platform

Legal entity: Google Ireland Ltd. for EU tenants.
Purpose: Application hosting — Cloud Run (API and frontends), Cloud Scheduler (cron triggers), Secret Manager (DB credentials, signing keys), Cloud Storage (build artifacts), Cloud Logging.
Data processed: All tenant data passes through Cloud Run instances in-memory only — no persistent storage at the GCP compute layer. Logs contain request metadata (timestamps, paths, status codes, IPs, user agents). Secret Manager holds DB connection strings and JWT signing secrets.
Data residency: Cloud Run services deployed to europe-west3 (Frankfurt) per current staging configuration. Production region is locked at deployment and reflected in the binding DPA.
Transfer mechanism: SCCs with EU-US DPF.
Audit / assurance: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS, HIPAA-ready, FedRAMP.
Notes: GCP processes logs in-region but aggregates global telemetry to the US for diagnostics. The DPA covers this.

Sub-processor

Cloudflare

Legal entity: Cloudflare, Inc. (Delaware, US). Cloudflare Ireland Ltd. is available for EU customers on Business+ tiers.
Purpose: DNS (assembyl.org domain), CDN edge caching (public-web static assets), DDoS protection, SSL certificate provisioning, Email Routing (inbound *@assembyl.org).
Data processed: Request metadata (IPs, user agents, request paths, headers); inbound email routing addresses; some response caching of public-web pages.
Data residency: Multi-region edge — EU traffic primarily served from EU edges. Logs may transit through US infrastructure.
Transfer mechanism: SCCs with EU-US DPF.
Audit / assurance: SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS.
Notes: Cloudflare acts as a controller for some processing (security threat intelligence, DDoS metadata). The DPA carves these out.

Change notification

We notify tenants by email to the registered support contact at least 30 days before adding a new sub-processor. Tenants may object within those 30 days, and may terminate the affected service or contract if the objection cannot be resolved.

Inventory last updated: 2026-05-12Questions about a sub-processor? Contact us.