Sutyr Inc.
Sub-processor Disclosure
Change Notification: Sutyr will provide 30 days’ written notice to DPA customers before adding or replacing any sub-processor. To receive notifications, ensure your DPA is executed and your notification email is current at privacy@sutyr.com. This list is the authoritative source of current sub-processors; the Privacy Policy Section 5 refers to this page. Sutyr’s notification obligation applies only to customers with an executed DPA; notification is sent to the email address designated in the DPA.
| Sub-processor | Purpose and scope | Data categories processed | Transfer basis |
|---|---|---|---|
| Amazon Web Services Amazon Web Services, Inc. United States aws.amazon.com/privacy | Cloud infrastructure — compute (EC2), managed database (RDS), object storage (S3), and operational monitoring (CloudWatch). Primary hosting environment for all Sutyr platform services. | Account data Billing event data Product usage data Confidentiality incident register | AWS DPA; SCCs (GDPR); PIPEDA attestation |
| Stripe Stripe, Inc. United States stripe.com/privacy | Payment processing infrastructure. Sutyr uses Stripe’s OAuth integration to receive webhook event data for orchestration. Stripe is the financial source of truth; Sutyr does not store raw payment instrument data. | Payment data Account data Billing event data | Stripe DPA; SCCs (GDPR) |
| Temporal Cloud Temporal Technologies, Inc. United States temporal.io/privacy | Durable workflow orchestration engine. Sutyr’s billing retry logic, edge-case handling, and workflow execution runs on Temporal Cloud. Workflow payloads may contain billing event identifiers and account references. | Billing event data Account data | Temporal DPA; SCCs (GDPR) |
| Stytch Stytch Inc. United States stytch.com/privacy | B2B authentication and identity management. Handles user login, session management, organization provisioning, and member management for all Sutyr platform accounts. | Account data Contact and inquiry data | Stytch DPA; SCCs (GDPR) |
| Vercel Vercel Inc. United States vercel.com/legal/privacy-policy | Frontend hosting and edge delivery for sutyr.com and the Sutyr platform web application. Processes request metadata in transit. Vercel Analytics (cookieless) used for aggregate traffic measurement. | Website technical data | Vercel DPA; SCCs (GDPR) |
| Cloudflare Cloudflare, Inc. United States cloudflare.com/privacypolicy | Content delivery network, DDoS mitigation, DNS, and TLS termination. Processes request metadata in transit for all traffic to sutyr.com and platform endpoints. No persistent personal data storage. | Website technical data | Cloudflare DPA; SCCs (GDPR) |
| Cloudflare Turnstile Cloudflare, Inc. United States cloudflare.com/privacypolicy | Bot detection and form spam protection on sutyr.com application forms. Cloudflare evaluates browser and device signals on submission to issue a one-time attestation token. Processed in transit; no persistent storage of personal data on Cloudflare's side. | Website technical data Contact and inquiry data (submission metadata) | Cloudflare DPA; SCCs (GDPR) |
| Resend Resend Inc. United States resend.com/privacy | Transactional email delivery for account notifications, billing alerts, onboarding messages, and workflow event communications sent to Sutyr customers and their designated contacts. | Contact and inquiry data Account data | Resend DPA; SCCs (GDPR) |
| Neon Neon Inc. United States neon.tech/privacy | Managed Postgres database for sutyr.com application form submissions (founding-cohort applications). Stores applicant name, work email, company, role, stage, optional setup description, and audit hashes. Provisioned via Vercel Marketplace; data resides in Neon's US region. | Contact and inquiry data Account data | Neon DPA; SCCs (GDPR) |
| Sentry Functional Software, Inc. (dba Sentry) United States sentry.io/privacy | Error monitoring and exception tracking for sutyr.com. Captures uncaught exceptions, stack traces, and request metadata; email addresses are hashed (SHA-256) before they reach Sentry — raw email never leaves Sutyr's infrastructure. Session replay enabled only on error, with all input values masked. | Website technical data Error and diagnostic data | Sentry DPA; SCCs (GDPR) |
Self-hosted services (not sub-processors)
The following services run on Sutyr’s own AWS infrastructure and do not transmit personal data to third-party servers. They are not sub-processors and are not included in the table above.
| Service | Description |
|---|---|
| PostHog | Product analytics — self-hosted on AWS EC2, cookieless mode, no external data transmission. All event data remains within Sutyr’s AWS infrastructure. |