This page lists subprocessors and important integration providers that may process personal data for TatTool. The exact providers involved depend on the product features, environment, and customer configuration.

Some providers are used by Bilfi ApS to operate TatTool. Other providers may be connected by a customer, such as the customer's own Stripe, Resend, Twilio, SendGrid, or other communication account. Customer configured providers may operate under the customer's direct relationship with that provider.

Current Subprocessors and Integration Providers

• Supabase: Managed PostgreSQL database infrastructure for the TatTool application database.
  Data: Account, studio, client, booking, consent, payment metadata, workflow, log, and operational data stored in the TatTool application database.
  Location: Configured Supabase project region; processing may also occur where needed to provide support and operate the service.
  Safeguards: Data processing terms, regional project configuration, access controls, encryption, backups, and transfer safeguards where needed.
• Cloudflare: Object storage, public file delivery, infrastructure, security, and related service operations where configured.
  Data: Account, workspace, file, log, and operational data where the relevant Cloudflare service is used.
  Location: Global provider; storage and processing region depends on configured service and deployment.
  Safeguards: Data processing terms, transfer safeguards, access controls, and service security controls.
• Amazon Web Services: Secure object storage, encryption key management, backups, and consent PDF storage where configured.
  Data: Uploaded files, signed consent PDFs, encryption metadata, backups, and related operational data where configured.
  Location: Configured AWS region, currently intended for EU-region storage for consent workflows where enabled.
  Safeguards: Data processing terms, regional configuration, encryption controls, and transfer safeguards where needed.
• Stripe: Subscription billing, Checkout, Stripe Connect, payment requests, refunds, account status, webhooks, and payment processing.
  Data: Billing contacts, payment records, payment status, Stripe account identifiers, checkout identifiers, refund and payout metadata, and fraud or compliance data handled by Stripe.
  Location: Global payment provider.
  Safeguards: Stripe data processing terms, payment security controls, and transfer safeguards.
• Resend: Transactional email, organization email, delivery events, and email webhooks where configured.
  Data: Email addresses, sender details, message content, delivery events, webhook events, and related metadata where Resend is used.
  Location: Global email provider.
  Safeguards: Data processing terms, provider security controls, and transfer safeguards.
• Twilio: SMS delivery, message status events, and communication webhooks where configured.
  Data: Phone numbers, SMS message content, delivery events, webhook events, and related metadata where Twilio is used.
  Location: Global communications provider.
  Safeguards: Data processing terms, provider security controls, and transfer safeguards.
• SendGrid: Email delivery for customer-configured email workflows where configured.
  Data: Email addresses, sender details, message content, delivery events, and related metadata where SendGrid is used.
  Location: Global email provider.
  Safeguards: Provider terms selected by the customer and transfer safeguards where applicable.
• GlitchTip or Sentry-compatible monitoring: Error monitoring, diagnostics, incident investigation, and service reliability.
  Data: Error traces, diagnostics, device and browser data, environment metadata, and limited user or organization identifiers when needed to investigate issues.
  Location: Depends on the configured monitoring deployment.
  Safeguards: Access controls, diagnostic data minimization, and provider or self-hosted security controls.
• OpenAI: AI-assisted documentation answers and related support features where those features are used.
  Data: Documentation assistant prompts, retrieved documentation context, generated answers, and related technical logs where AI support features are used.
  Location: Global AI provider.
  Safeguards: Provider data processing terms and transfer safeguards where applicable.

Changes

Bilfi ApS may update this page when subprocessors or integration providers change. Where required by law or a signed customer agreement, we will provide reasonable notice of material subprocessor changes and allow customers to object on reasonable data protection grounds.

Questions

For questions about subprocessors, transfer safeguards, or customer-specific processing, contact info@tattool.io.