Version: v1.1
Published: 6th November 2025
Contact: privacy@certcrowd.com
We work with a small number of trusted third parties to help us run our services. For example, to provide secure computing and storage. Beyond these essential providers, we may use a limited set of specialist sub-processors to help us deliver a high standard of service. We vet each provider for strong privacy and security practices and put appropriate safeguards in place. For details, see our Privacy Policy.
Notice and objections. We will post updates to this Register at least 30 days before authorising a new sub-processor or replacing one for the same purpose, and we will notify subscribed contacts. To subscribe, email privacy@certcrowd.com with the subject "Sub-processor updates". Customers may object on reasonable privacy or security grounds; see the DPA for process.
Emergency changes. If we must add or replace a sub-processor without prior notice (for example to restore availability, address a security incident or vulnerability, or comply with law), we may do so immediately. In that case, we will update this Register and notify subscribed contacts as soon as practicable and no later than 7 days after the change. Customers may then object within 14 days on reasonable privacy or security grounds; we will work in good faith to provide a commercially reasonable alternative. If no alternative is available, the customer may suspend the affected functionality or terminate the impacted services in accordance with the DPA.
| Provider | Role | Data types (subset) | Regions used |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Hosting: compute, storage, databases, backups; logging; CDN/edge | Customer content and metadata; support attachments when uploaded; service logs and metrics | eu-central-1 (Germany), ap-southeast-2 (Australia), ap-southeast-1 (Singapore), us-east-1 / us-west-2 (USA); global edge network for CDN/DNS |
| Clerk, Inc. | Authentication and user management | Auth identifiers, password hashes, MFA factors, device and session IDs, audit logs, account metadata | Global (including USA) - vendor-determined; no EU-only residency commitment |
| Mailgun Technologies, Inc. | Transactional email delivery | Recipient and sender addresses, headers, delivery logs, suppressions; message body where needed for delivery | EU (Germany) or USA (per configuration; EU via api.eu.mailgun.net) |
| Bugsnag (SmartBear) | Error and performance monitoring | Error payloads, stack traces, device or browser and session metadata; may include pseudonymous user IDs | Global (GCP) - vendor-hosted; no EU-only residency commitment stated |
| CloudConvert (Lunaweb GmbH) | File export and conversion (feature-dependent) | Exported files and conversion artefacts generated on demand | Selected processing region (for example EU) per vendor settings; hosted exclusively in selected region |
| Google Cloud Platform (Vertex AI, Compute/Storage, BigQuery ML) | AI inference and training integrated into app | User prompts, model outputs, app identifiers and metadata | Sydney, Australia; Melbourne, Australia; some managed services can be multi-regional |
| Google Cloud Platform - Vertex AI | AI and ML processing used by app features (processor or sub-processor) | Model inputs and outputs (prompts, files, results), user IDs, event metadata needed to deliver AI features | AU regions configured (Sydney australia-southeast1; Melbourne australia-southeast2). Some services can be multi-regional; pin residency where available. |
| Google - Sign in with Google | Identity Provider - typically independent controller | Google subject identifier, email, name or profile image (if requested), auth event metadata (IP, timestamp) | IdP operates globally. Your app or Clerk store only selected claims; storage region per your Clerk or app configuration. |
| Microsoft - Entra ID / Sign in with Microsoft | Identity Provider - typically independent controller | Subject or tenant IDs (oid or tid), email, display name, auth event metadata (IP, timestamp) | Entra is largely non-regional or global. If using External ID or B2C directly, data-residency options exist (US/EU/APAC including AU). |
| Apple - Sign in with Apple | Identity Provider - typically independent controller | Apple subject ID, user name (if shared), email or @privaterelay.appleid.com alias, auth event metadata | Global service; Apple indicates personal data is generally stored in the United States for many services. |
