Sub-processors
Last updated: April 2026
Operated by:ClawNet (trading as Vigil), England & Wales
Vigil uses the following third-party services (sub-processors) to provide the Service. We require each sub-processor to maintain appropriate data protection standards, including entering into Data Processing Agreements (DPAs) with us that are no less protective than our obligations to you.
Current Sub-processors
| Service | Provider | Purpose | Data Processed | Data Location | Transfer Mechanism |
|---|---|---|---|---|---|
| Authentication & Database | Supabase Inc. | User accounts, authentication, stack selections, alert data storage | Email address, password hash (Supabase-managed), session tokens, usage logs | US-East (AWS us-east-1) | EU SCCs 2021/914 (Module 2) + UK IDTA |
| Email Delivery | Resend Inc. | Transactional alert emails, receipts, and service notifications | Email address, alert content | United States (primary delivery) | EU SCCs 2021/914 (Modules 1, 2, 3) + UK Addendum + EU-US DPF + UK Extension to DPF |
| Payment Processing | Stripe Inc. | Subscription billing and payment processing | Billing email, payment method token (last 4 digits reference) | United States (primary); EU/UK replicas | EU SCCs 2021/914 (Modules 1, 2) + UK Addendum (Version B1.0) + EU-US DPF + Swiss-US DPF. Note: Stripe is an independent data controller for fraud detection and PCI compliance purposes. |
| Application Hosting | Railway Corp. | Hosting the Vigil application backend | All transient request data processed during Service operation | US-West (GCP us-west2) | EU-US DPF (primary) + UK-US DPF Extension + EU SCCs 2021/914 (supplementary) + UK IDTA |
| DNS & CDN | Cloudflare Inc. | DNS resolution, edge caching, DDoS protection | IP address, user agent string (edge logs — not stored by Vigil) | Global edge network; R2 origin US | EU SCCs 2021/914 (Modules 2, 3) + UK Addendum (Version B1.0) + EU-US DPF |
Transfer Mechanisms — Key
- EU SCCs 2021/914: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 — Standard Contractual Clauses for the transfer of personal data to third countries under the GDPR.
- UK IDTA: International Data Transfer Agreement (Version B1.0) — issued by the UK Information Commissioner under the Data Protection Act 2018 for UK-origin international transfers.
- UK Addendum: UK Addendum (Version B1.0) to the EU SCCs — converts the EU SCCs into a UK-compliant transfer mechanism for EEA + UK dual coverage.
- EU-US DPF: EU-US Data Privacy Framework — adequacy mechanism adopted by the European Commission in July 2023.
- UK Extension to DPF: UK Extension to the EU-US Data Privacy Framework — UK adequacy mechanism covering UK → US transfers.
- Swiss-US DPF: Swiss-US Data Privacy Framework — adequacy mechanism for Switzerland → US transfers.
Sub-processor Changes
We review our sub-processor list regularly. We will notify customers of any material additions or replacements at least 30 days in advance by email to the address associated with your account.
If you object to a new sub-processor on data protection grounds, please contact privacy@vigil.junocode.com within 14 days of the notification. We will work to accommodate reasonable objections where operationally feasible.
DPAs and SCC Copies
Copies of applicable Sub-processor DPAs and Standard Contractual Clauses are available on request at privacy@vigil.junocode.com.
Sub-processor DPA links for reference:
- Supabase DPA: supabase.com/legal/dpa
- Resend DPA: resend.com/legal/dpa
- Stripe DPA: stripe.com/en-gb/legal/dpa
- Railway: Incorporated via privacy policy and data processing agreements (railway.com/legal/privacy)
- Cloudflare DPA: cloudflare.com/cloudflare-customer-dpa
Contact
For sub-processor and data protection queries: privacy@vigil.junocode.com