List of Sub-Processors

Valorcy uses certain third-party sub-processors to provide our services efficiently and securely. These sub-processors are carefully vetted and contractually bound to handle your data in accordance with our Data Processing Agreement and applicable data protection laws.

We maintain this list of sub-processors as a transparency measure for our customers and data subjects. This page is updated whenever we add, remove, or change a sub-processor. We recommend reviewing this page periodically to stay informed about the third-party services involved in the delivery of Valorcy.

If you have questions or concerns about any of our sub-processors, please contact our Data Protection Officer at dpo@Valorcy.io.

Amazon Web Services (AWS) — Primary cloud infrastructure provider for hosting, computing, and storage services. AWS processes data in the United States, European Union, and Asia-Pacific regions. AWS is SOC 2 Type II certified, ISO 27001 certified, and GDPR compliant. Data is encrypted at rest using AES-256 and in transit using TLS 1.2+. AWS Privacy Policy: https://aws.amazon.com/privacy/

Cloudflare — Content delivery network (CDN) and DDoS protection provider. Cloudflare caches and serves static content from edge locations worldwide to improve page load times. Cloudflare processes data globally across its network of 300+ data center locations. Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

Vercel — Edge computing and serverless function platform used for rendering and dynamic content delivery. Vercel processes data in the United States and European Union. Vercel is SOC 2 Type II certified. Vercel Privacy Policy: https://vercel.com/legal/privacy-policy

Stripe — Payment processing for credit card, debit card, and ACH payments. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification. Stripe processes payment data in the United States and European Union and does not store full card numbers on Valorcy's servers. Stripe Privacy Policy: https://stripe.com/privacy

PayPal — Alternative payment processing provider for customers who prefer to pay via PayPal balance, linked bank accounts, or PayPal credit. PayPal is PCI DSS compliant and processes payments globally. PayPal Privacy Policy: https://www.paypal.com/us/webapps/mpp/ua/privacy-full

Google Analytics — Web analytics service used to collect anonymized usage data for improving our platform. Google Analytics data is anonymized and aggregated; no personally identifiable information is shared with Google for analytics purposes. Google Privacy Policy: https://policies.google.com/privacy

Sentry — Error monitoring and performance tracking service used to identify and resolve technical issues on our platform. Sentry collects limited technical data such as error traces and stack frames, which may contain fragmentary personal data. Sentry Privacy Policy: https://sentry.io/privacy/

PostHog — Product analytics and feature flagging service used to understand how users interact with our platform and to roll out features gradually. PostHog Privacy Policy: https://posthog.com/privacy

SendGrid — Transactional email delivery service used to send account verification emails, password reset notifications, billing receipts, and other system-generated emails. SendGrid processes email addresses and limited metadata required for email delivery. SendGrid Privacy Policy: https://www.twilio.com/en-us/legal/privacy

Intercom — Customer support and live chat platform used to provide real-time assistance to our users. Intercom processes the content of support conversations, user profile information, and page visit data when the chat widget is active. Intercom Privacy Policy: https://www.intercom.com/legal/privacy

Slack — Internal team communication tool. Slack is not used to process customer data directly but may contain references to customer accounts in internal support discussions. Slack Privacy Policy: https://slack.com/intl/en-us/trust/privacy/privacy-policy

When we add a new sub-processor or make a material change to an existing sub-processor arrangement, we will notify Enterprise customers via email at least 30 days before the change takes effect. Non-enterprise customers will be notified via a post on our status page or a general service announcement.

If you object to a proposed sub-processor change on reasonable grounds related to data protection, please contact our DPO at dpo@Valorcy.io within the notification period. We will work with you to find a mutually acceptable solution, which may include providing additional safeguards or, where feasible, offering an alternative service configuration.

We conduct annual reviews of all sub-processors to ensure they continue to meet our security and privacy standards. Sub-processors that fail to maintain appropriate certifications or that experience security incidents may be removed from our approved list and replaced with compliant alternatives.