Subprocessors
Last Updated: December 30, 2025
Introduction
This page lists the third-party service providers ("Sub-processors") that Policy Change Radar uses to process customer data. We carefully vet all Sub-processors to ensure they meet our security and privacy standards.
This list is maintained as part of our Data Processing Agreement obligations and is updated when we add, change, or remove Sub-processors.
Change Notification
We will notify customers at least 30 days before adding a new Sub-processor or making material changes to existing Sub-processors. Notifications are sent via email to the account owner.
If you object to a new Sub-processor on reasonable data protection grounds, please contact us at privacy@policychangeradar.com within 30 days of notification.
Current Subprocessors
| Sub-processor | Service Provided | Data Location | Purpose |
|---|---|---|---|
|
Stripe, Inc. Privacy Policy |
Payment Processing | United States | Processes subscription payments and billing information. Stripe is PCI-DSS Level 1 certified. |
|
[Email Service Provider] SendGrid, Mailgun, or Amazon SES |
Email Delivery | United States | Sends transactional emails including alerts, notifications, password resets, and account communications. |
|
[Cloud Infrastructure Provider] AWS, Google Cloud, or similar |
Cloud Hosting | United States | Provides infrastructure for hosting the application, database, and storage services. SOC 2 Type II certified. |
Note: Specific provider names in brackets will be updated once services are finalized.
Sub-processor Selection Criteria
We select Sub-processors based on the following criteria:
- Strong security and privacy practices
- Compliance with applicable data protection laws (GDPR, CCPA)
- Appropriate technical and organizational measures
- Industry certifications (SOC 2, ISO 27001, etc.)
- Data Processing Agreements in place
- Regular security assessments and audits
- Incident response capabilities
- Transparent privacy policies
Data Processing Agreements
All Sub-processors are bound by data processing agreements that:
- Impose data protection obligations equivalent to those in our DPA
- Require appropriate security measures
- Limit processing to our instructions
- Require confidentiality commitments
- Include data breach notification requirements
- Provide audit rights
- Address data deletion and return upon termination
International Data Transfers
Some Sub-processors may process data in jurisdictions outside the European Economic Area (EEA). For transfers to countries without an adequacy decision from the European Commission, we ensure appropriate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures as recommended by the European Data Protection Board
- Transfer Impact Assessments where required
Sub-processor Oversight
We maintain ongoing oversight of Sub-processors through:
- Regular security and compliance reviews
- Monitoring of security incidents and data breaches
- Review of audit reports and certifications
- Assessment of changes to Sub-processor practices
- Periodic re-evaluation of Sub-processor relationships
Our Liability
Policy Change Radar remains fully liable to you for the performance of Sub-processors in accordance with our Data Processing Agreement. We are responsible for ensuring Sub-processors comply with data protection obligations.
Questions and Objections
If you have questions about our Sub-processors or wish to object to a new Sub-processor:
- Privacy Team: privacy@policychangeradar.com
- DPA Questions: See our Data Processing Agreement
Change History
| Date | Change |
|---|---|
| December 30, 2025 | Initial publication of Subprocessors list |