Sub-processors
The third parties that process data on our behalf, each with its purpose, the data categories it touches, where it processes, and the cross-border transfer basis. This is the canonical register — our privacy policy links here rather than repeating it.
Last updated 27 June 2026
Register version 2026.06.1
Active sub-processors
Each processor below is bound by a data-processing agreement that restricts its use of data to providing its service to us. We engage only the processors required to run the Service.
| Sub-processor | Purpose | Data categories | Processing region | Transfer basis |
|---|---|---|---|---|
| Vercel | Application hosting and edge/serverless compute | All data in transit during request handling; no durable storage of customer data at this layer | United States (primary function region — confirm) | SCCs + EU-US / UK-US Data Privacy Framework where certified |
| Neon | Managed PostgreSQL database (data at rest) | Tenant inventory state, findings, audit logs, sign-in metadata, account and billing identifiers | United States (confirm project region) | SCCs + DPF where certified |
| Stripe | Billing and payment processing | Billing email, Stripe customer/subscription identifiers, usage records | United States | SCCs + DPF where certified |
| Resend | Transactional email delivery (welcome, alerts, billing) | Recipient email address and message content for transactional mail | United States | SCCs + DPF where certified |
| Microsoft | Authentication (Entra ID sign-in) and the read-only Graph / ARM APIs you authorize | Your Entra ID sign-in profile; read-only access to the tenant data you grant | Per your Microsoft tenant's configured region | You control the tenant; Microsoft is your provider. Reads are authorized by your admin's read-only consent — by default under Permafrost's own multi-tenant app (no per-tenant secret held); Pro and above can opt into a dedicated app registration whose secret is held encrypted in our secrets vault |
| Google Analytics — traffic measurement on the public marketing site only | Marketing-site visit metadata. Loaded only with opt-in consent; never runs in the signed-in application | United States | SCCs + DPF where certified; consent-gated |
Error monitoring is first-party: application errors are captured in our own infrastructure with secrets and customer PII redacted at the point of capture. We do not send error data to a third-party error-tracking provider, so none appears in this register.
On the roadmap — not yet engaged
Multi-cloud coverage for Amazon Web Services and Google Cloud is in preview — on the roadmap. These reads are not built yet and no customer data flows to them today. When that coverage ships, the data-source processors below join the active register above, and we notify customers first under the mechanism described below. Microsoft cloud coverage is available now.
| Future data source | Planned purpose & access |
|---|---|
| Amazon Web Services Coming soon | Read-only entitlement data source for AWS accounts, via sts:AssumeRole with an external ID. No stored keys. |
| Google Cloud Coming soon | Read-only entitlement data source for GCP projects, via Workload Identity Federation. No stored keys. |
How we notify you of changes
Before a new sub-processor begins processing your data, we update this register and raise its version number. Customers can subscribe to change notifications: when the register changes we email the account administrator with reasonable advance notice, so you have the opportunity to review and, if your agreement provides for it, object before the new processor goes live.
To be added to the sub-processor change-notification list, email support@permafrostepm.com.