Sub-processors
The third parties we trust with your data.
We rely on a small set of carefully chosen third-party services to run Debutap. Every one of them is bound by a written contract that meets or exceeds our obligations to you, and where international transfers are involved we use Standard Contractual Clauses. This page is updated whenever the list changes — and we notify customers 30 days before adding or replacing a sub-processor.
1. What is a sub-processor?
A sub-processor is any third party that processes personal data on our behalf to help us deliver the Service. Common examples: cloud hosts, payment gateways, transactional email senders, monitoring tools. This is different from "independent third parties" (like your domain registrar) — those have their own relationship with you.
2. Infrastructure
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| DigitalOcean | Primary cloud hosting — application servers, database, queues | All customer data we host on Debutap | India (BLR1, Bengaluru) | Indian destination; SCCs for transfers from EEA/UK |
| Cloudflare | DNS, CDN, WAF, DDoS protection, edge caching, on-demand TLS for custom domains | IP addresses, request metadata, cached static assets | Global edge network | SCCs; Cloudflare DPA |
| Cloudflare R2 | Object storage for media (images uploaded to cards) | Uploaded media files and the metadata you set on them | Asia / EU regions, customer-selectable | SCCs |
| MongoDB Atlas (planned for V1) | Managed database hosting | All structured customer data | Asia / EU / US regions, customer-selectable in dashboard | SCCs |
3. Payments
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Razorpay | Card / netbanking / wallet / UPI / EMI payment processing for Indian customers and Indian merchants | Payment data, billing name, contact, last four digits | India | Direct controller-to-controller for payment regulatory compliance |
| Stripe | International card payments and recurring subscriptions | Payment data, billing address, tax IDs | USA, Ireland, India (Stripe India for INR settlements) | SCCs; Stripe DPA |
| UPI Deep-Link providers | Native UPI checkout via PhonePe / GPay / Paytm intents | UPI handle, transaction reference | India | Direct PSP relationships |
4. Communications
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Resend | Transactional email — sign-up, password reset, billing receipts, alerts | Recipient email, message content | USA | SCCs; Resend DPA |
| MSG91 / similar Indian email provider (planned for marketing campaigns) | Customer marketing campaigns sent through Debutap | Recipient lists you import, message content | India | India-only by default |
| Meta WhatsApp Business Platform (V2+) | WhatsApp template messages, order notifications | Phone numbers, message content, template IDs | USA / EU | SCCs via Meta's Business Tools DPA |
5. Authentication
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Google (Sign in with Google) | Optional Google OAuth login | Name, email, profile photo, Google account ID — only when the user chooses to sign in via Google | USA / Global | SCCs; Google Cloud DPA |
6. Analytics & monitoring
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Sentry | Error tracking and performance monitoring | Browser / server error stack traces, request URL, anonymised user ID | USA / EU | SCCs; Sentry DPA |
| Plausible / Umami (planned for marketing site) | Privacy-friendly site analytics on debutap.com (no cookies, no personal data) | Aggregated page views, device class | EU | EU-hosted; no transfers |
7. Media storage
Covered under Infrastructure (Cloudflare R2). No additional sub-processors.
8. AI services (V2+, opt-in)
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Anthropic (Claude) | AI card generation, translation, on-card chatbot — all opt-in per feature | Only the content you submit for that feature; not used by Anthropic to train models | USA / EU | SCCs; Anthropic Commercial Terms |
| OpenAI (fallback only) | Backup AI provider for the same opt-in features | Same as above | USA / EU | SCCs; OpenAI Enterprise Terms |
9. NFC printing & shipping partners
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| NFC printing partner (Indian fulfilment vendor — name disclosed on request) | Printing and PVD coating of physical NFC cards | Card design artwork, shipping name and address, order quantity | India | Domestic data processing agreement |
| Shiprocket / Bluedart / DTDC (for shipments) | Last-mile delivery | Shipping name, address, phone | India + receiving country for international shipping | Direct carrier relationships |
10. Change notifications
- We post additions or replacements to this page at least 30 days before a new sub-processor begins processing personal data, where required.
- Business-plan customers are also emailed individually.
- For emergency replacements (e.g. a vendor outage), we may shorten the notice period and explain the reason.
11. How to object
If you have reasonable data-protection objections to a new sub-processor, write to [email protected]within the notice period. If we can't address the objection, you may terminate the affected subscription and receive a prorated refund of any prepaid unused period (see our DPA).
Questions about this document? Get in touch at [email protected].
See all legal documents