Subprocessors
Last updated: 24 May 2026
Overview
Under Article 28 of the GDPR, we use the following subprocessors to deliver the SuperShift service. Each is bound by a Data Processing Agreement with Sidestream OÜ and is certified, located in the EU, or contractually equivalent to GDPR standards (EU-US Data Privacy Framework where applicable).
The legal terms of our processor relationship with Customers are set out in our Data Processing Agreement.
Current subprocessors
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Application hosting and edge delivery | USA (EU regions used where available) | EU-US Data Privacy Framework certified, SCCs |
| Neon Inc. | Managed Postgres database (Customer data at rest) | EU (Frankfurt region) | EU-located, SOC 2 Type II |
| Resend Inc. | Transactional and marketing email delivery (incl. newsletter, onboarding, supplier orders) | USA | EU-US Data Privacy Framework, SCCs |
| Stripe Payments Europe Ltd | Payment processing for paid subscriptions | Ireland (EU) | EU-located, PCI-DSS Level 1 |
| Google LLC (Analytics + Tag Manager + OAuth) | Usage analytics and sign-in with Google | USA | EU-US Data Privacy Framework, SCCs. Analytics loaded with user consent (banner rollout in progress); OAuth used strictly when a user chooses to sign in with Google. |
| GitHub Inc. | Source code hosting (no Customer data) | USA | EU-US Data Privacy Framework |
Notification of changes
We notify Customers of any new subprocessor at least 30 days in advance via the Customer's primary contact email. Customers may object to a new subprocessor — on reasonable, documented grounds — by emailing privacy@supershift.app within the notice period. Where we cannot accommodate the objection, the Customer may terminate the affected portion of the Service on the terms set out in our Data Processing Agreement.
Contact
Sidestream OÜ
Ahtri tn 12, 15551 Tallinn, Estonia
Privacy contact: privacy@supershift.app
Registry code: 17374822