Loading legal document…
Third-party service providers that process personal data on behalf of MultiComply
Under GDPR Article 28, you have the right to:
To exercise these rights, email privacy@multicomply.com
All third-party services that access or process customer data
| Subprocessor | Service | Data Location | Data Transferred | Added | Links |
|---|---|---|---|---|---|
Supabase Inc. US-based company | Database & Authentication PostgreSQL database hosting, user authentication, file storage, backup and recovery | Primary:European Union (Sweden, Stockholm) Backup:United States (encrypted backups only) | International Transfer SCCs in Processor DPA Protection Mechanisms:
Technical & Organizational Measures:
| ||
Stripe, Inc. US-based company with EU infrastructure | Payment Processing Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation | Primary:European Union (Ireland) Backup:United States (encrypted backups only) | International Transfer EU-US DPF Certified Protection Mechanisms:
Technical & Organizational Measures:
| ||
Cloudflare, Inc. US-based company with EU infrastructure | Security & CAPTCHA Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets | Primary:European Union (multiple locations) Backup:Global edge network | International Transfer EU-US DPF Certified EU-Approved BCRs Protection Mechanisms:
Technical & Organizational Measures:
| ||
Resend Labs Inc. US-based company with EU infrastructure | Transactional Email Delivery Sending account notifications, password reset emails, DSAR verification emails, compliance alerts | Primary:European Union | EU Only | ||
Octonull Kft. (Billingo) Hungarian company (within EU) | NAV-compliant Invoice Issuance Issuing Hungarian NAV-compliant electronic invoices for paid subscriptions, VAT calculation and reporting, NAV Online Számla submission | Primary:Hungary (European Union) | EU Only | ||
Vercel Inc. US-based company with EU infrastructure | Application Hosting & Edge Compute Hosting the MultiComply web application, serverless function execution, edge CDN delivery, deployment infrastructure | Primary:European Union (Frankfurt) Backup:United States (encrypted backups only) | International Transfer EU-US DPF Certified Protection Mechanisms:
Technical & Organizational Measures:
|
Database & Authentication
PostgreSQL database hosting, user authentication, file storage, backup and recovery
All user data, generated documents, form answers, activity logs
Payment Processing
Processing subscription payments, managing billing, handling refunds, fraud prevention, tax calculation
Name, email address, billing address, payment card details (tokenized), transaction history, IP address
Security & CAPTCHA
Bot protection via Turnstile CAPTCHA, DDoS protection, web application firewall, CDN for static assets
IP address, browser fingerprint, user agent, request metadata
Transactional Email Delivery
Sending account notifications, password reset emails, DSAR verification emails, compliance alerts
Recipient email address, recipient name, email subject and content
NAV-compliant Invoice Issuance
Issuing Hungarian NAV-compliant electronic invoices for paid subscriptions, VAT calculation and reporting, NAV Online Számla submission
Customer name, billing address, VAT/tax number, invoice line items, transaction amounts
Application Hosting & Edge Compute
Hosting the MultiComply web application, serverless function execution, edge CDN delivery, deployment infrastructure
IP address, user agent, HTTP request metadata; production data flows through serverless functions to Supabase
We'll email you 30 days before adding new subprocessors (GDPR Article 28 requirement)
You can unsubscribe at any time. We will only send emails about subprocessor changes.
Supabase stores all primary data on EU servers (Sweden, Stockholm — eu-north-1). For disaster recovery purposes, encrypted backups are replicated to US servers.
Transfer protections in place:
This transfer is protected under GDPR Chapter V via Standard Contractual Clauses incorporated in the Supabase Data Processing Agreement.
Under GDPR Article 28(2), you have the right to object to new subprocessors. Here's the process:
Yes. As a customer, you have the right to review our DPAs with subprocessors to ensure adequate data protection.
Email privacy@multicomply.com with the subject "DPA Request" and specify which subprocessor's DPA you need.
You can also access public DPAs directly via the "DPA ↗" links in the table above.
No. MultiComply does NOT send your data to any AI service (Anthropic Claude, OpenAI, etc.) for document generation.
All documents are generated using template-based mail-merge technology. Your form answers are inserted into lawyer-written templates stored in our Supabase database. No AI is involved in the process.