Sub-processors
Under GDPR Art. 28 we maintain a list of every third-party processor that touches personal data on GrailWatch's behalf. This page is the canonical record. We update it in the same change-set as any processor change — adding, removing, or scope-shifting.
Active sub-processors
Each entry below is a processor in production today, the role it plays, where it sits jurisdictionally, the data it receives, and the cross-border transfer mechanism that applies.
- Supabase
Role. Primary database, authentication, and storage backend.
Data received. Account email, hashed password, profile fields, saved searches, Grail List entries, community signals, consent records, newsletter subscriptions, score audit trail.
- Vercel
Role. Application hosting, edge middleware, and CDN.
Data received. Request metadata (IP, user-agent, URL, response time), short-term access logs. No persistent user data is stored at Vercel; cookies pass through to Supabase.
- Railway
Role. Background worker hosting (reassessment, email digest).
Data received. Service-role access to Supabase tables required by the worker job. No direct user identifiers are stored at Railway; logs are short-term.
- Upstash
Role. Redis-backed rate limiting and (post-launch) security-event sink, when wired up.
Data received. Rate-limit counters keyed by hashed IP / hashed token; security-event records keyed by user id / IP.
- Mapbox
Role. Map tiles for geographic features (where the seller ships from, where the watch is presented). When wired up.
Data received. Tile-fetch requests with approximate viewport coordinates and visitor IP at the time of the request.
- Voyage AI
Role. Embedding model used to compute semantic similarity between watch references and listings. When wired up.
Data received. Reference titles, descriptions, and short listing excerpts. No account-identifying data is sent.
- DeepL
Role. Machine translation of community signals authored in non-English languages. When wired up; off by default.
Data received. Short text excerpts authored by community contributors.
Notable absences
The following processors that the audience may reasonably wonder about are not currently in use. If any are added we will update both this page and the ROPA in the same commit.
- Google Analytics 4 (or any web-analytics provider) — listed in the ROPA as a future possibility under explicit opt-in consent. Not currently wired.
- Email delivery providers (Resend / Postmark / SendGrid) — the digest worker is in dry-run mode. The provider will appear here the moment send is enabled.
- Advertising networks. None are wired and we have no current plan to wire one.
- eBay Partner Network. Outbound clicks are not yet attributed; the integration is on the slice-1b roadmap and will appear here when it ships.
- Sentry / Logflare / Axiom (error and security-event shipping). None wired yet; the closest existing path is the in-process StderrSecurityEventSink described in the security runbook.
How we notify of changes
For an existing user account, a material change to this list (a new processor, a meaningful scope change, or a removal) is announced in the next available newsletter and recorded in the public changelog. The page itself is git-versioned; the commit history is the canonical timeline.
Standard Contractual Clauses
For every US-located sub-processor that handles EU personal data we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. We have not (yet) completed formal Transfer Impact Assessments per processor; that is a counsel-driven workstream that opens with the broader counsel engagement.