Skip to content
TruthVouch Docs

Sub-Processor List

TruthVouch uses approved sub-processors (vendors) to provide our service. All sub-processors are bound by Data Processing Agreements ensuring adequate data protection.

Current Sub-Processors

Cloud Infrastructure

NamePurposeLocationData Types
Amazon Web Services (AWS)Cloud compute, storage, databases, CDNUS, EUAll customer data
CloudFlareDDoS protection, WAF, DNSGlobalNetwork traffic

Authentication & Monitoring

NamePurposeLocationData Types
Auth0User authentication and SSOUSUser credentials (hashed)
DataDogSystem monitoring and loggingUSSystem logs, metrics
SentryError tracking and debuggingUSApplication errors, crash reports
PrometheusMetrics collectionSelf-HostedSystem metrics
GrafanaMonitoring dashboardsSelf-HostedSystem metrics

Communications & Email

NamePurposeLocationData Types
SendGridEmail deliveryUSEmail addresses, message content
Slack (optional)Alert notificationsUSAlert summaries
PagerDuty (optional)Incident alertsUSAlert summaries

Payment Processing

NamePurposeLocationData Types
StripePayment processingUSBilling information (never stored by TruthVouch)

Analytics (Optional)

NamePurposeLocationData Types
Google AnalyticsUsage analyticsUSAnonymized usage data
MixpanelProduct analyticsUSFeature usage, sessions

Sub-Processor Agreements

All sub-processors are bound by:

  • Data Processing Agreements (DPAs)
  • Security requirements (encryption, access controls)
  • Confidentiality obligations
  • Limited use restrictions (only for service provision)
  • Data subject rights support

Right to Object

Under GDPR Article 28(4), you have the right to object to sub-processors:

To Object:

  1. Email legal@truthvouch.com with your objection
  2. Specify which sub-processor(s) you object to
  3. Explain your concerns

We’ll work with you on alternatives or discuss the necessity of each sub-processor.

Sub-Processor Changes

If we add or replace sub-processors, we will:

  1. Notify you 30 days in advance
  2. Allow you to review the new sub-processor’s DPA
  3. Provide 15 days to object before implementation

Data Transfers

Sub-processors in the US are bound by Standard Contractual Clauses (included in DPA) for GDPR-compliant data transfers. EU-based sub-processors have no transfer restrictions.

Auditing Sub-Processors

We audit sub-processors annually through:

  • Security questionnaires
  • Annual SOC 2 reports (where available)
  • Compliance certifications (ISO 27001, FedRAMP, etc.)

Questions About Sub-Processors

For questions about specific sub-processors or concerns about data handling:

Contact: legal@truthvouch.com

Subject: “[Sub-Processor] Data Processing Questions”

Last Updated: January 2024. Sub-processors updated monthly as needed.