Subprocessors
Effective 2026-05-03
A “subprocessor” is any third party we engage to process customer data on our behalf. We list every one of them below, along with what they do, where they sit, and what categories of customer data they handle. This page is the canonical reference cited by our Privacy Policy and any signed Data Processing Agreement (DPA).
Notification of changes
We notify customers on Team and Enterprise plans at least 30 days before adding a new subprocessor that processes their data. Notifications go to the billing contact on file. Free, Pro, Pro+, and API Pro customers can subscribe to material changes by emailing contact@corpstacking.com with “subprocessor updates” in the subject line.
Current subprocessors
| Subprocessor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account, profile, holdings, alert subscriptions, ledger rows | United States |
| Vercel | Hosting, edge network, build CI, performance analytics | Request logs, IP (transient), Core Web Vitals | United States |
| Stripe | Payment processing, subscription billing | Billing email, payment method tokens — card data never touches us | United States |
| Resend | Transactional email + magic-link delivery | Email address, message content for alerts and auth flows | United States |
| Anthropic | AI analyst — Claude API for /chat tool calls | User-typed messages + dataset rows fetched during the conversation. Anthropic does not train on this data per their commercial terms. | United States |
| PostHog | Product analytics — optional, user-consented | Anonymous user ID, page views, feature events. Disabled if you opt out of analytics cookies. | United States / EU |
| Telegram | Telegram bot — alert delivery only | Telegram chat ID + alert payload. We do not pull anything back from Telegram. | Global |
| CoinGecko | Cryptocurrency market data | No customer data — outbound only | Global CDN |
| CryptoCompare | Historical cryptocurrency price data | No customer data — outbound only | Global CDN |
| Bitbo | Public corporate-treasury reference data | No customer data — outbound only | Global CDN |
| alternative.me | Fear & Greed Index data | No customer data — outbound only | Global CDN |
| Surge | SMS / MMS delivery — currently disabled, stays listed for re-enable readiness | Phone number, message content. Channel disabled while we re-apply for crypto-info carrier approval. | United States |
| Coinzilla | Advertising — free tier only | No customer data sent server-side; client-side ad rendering only | European Union |
Sub-subprocessors
Some subprocessors above use their own subprocessors (for example, Vercel uses AWS for compute and Cloudflare for parts of its edge network; Supabase uses AWS for managed Postgres). Each vendor publishes their own subprocessor list and notification policy; we treat their disclosures as authoritative for the downstream layer.
How we vet subprocessors
- Each new vendor is evaluated for security posture, data-residency story, and contractual willingness to sign a DPA before any production traffic reaches them.
- We sign a DPA (or equivalent contractual obligations) with every subprocessor that handles personally identifiable customer data.
- Outbound-only data sources (CoinGecko, CryptoCompare, Bitbo, alternative.me) do not receive customer data and are listed for transparency rather than as contractual subprocessors.
Questions
For DPA execution, security questionnaires, or escalations: contact@corpstacking.com. For data-rights requests under GDPR / CCPA / CPRA: contact@corpstacking.com. To report a suspected security issue at any subprocessor or our service: contact@corpstacking.com.