Sub-processors
Last updated: April 30, 2026
Masarap Cafe relies on the following sub-processors to operate the platform. Each sub-processor is bound by a written Data Processing Agreement (GDPR Article 28) that limits processing to the purposes listed below, requires equivalent security controls, and prohibits onward transfer without authorization. International transfers are made under the EU-U.S. Data Privacy Framework (where the vendor is certified) or under the European Commission’s 2021/914 Standard Contractual Clauses with supplementary technical measures (encryption in transit and at rest).
We notify customers of material changes to this list via this page and (for registered users) via email at least 30 days before a new sub-processor begins processing personal data, unless the change is required by law or to address a critical security risk.
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Render | Application hosting (API, web, KDS) | United States — Oregon | Standard Contractual Clauses (2021/914) |
| MongoDB Atlas | Primary database (orders, users, audit log) | United States | Standard Contractual Clauses (2021/914) |
| Upstash / Render Redis | Cache, rate limiting, session state | United States | Standard Contractual Clauses (2021/914) |
| Stripe | Payment processing for sauce orders, refunds, fraud signals | United States, global | EU-U.S. Data Privacy Framework (DPF) |
| Square | Payment processing for food orders, kitchen display sync | United States | Standard Contractual Clauses (2021/914) |
| EasyPost | Shipping label generation and tracking | United States | Standard Contractual Clauses (2021/914) |
| Cloudinary | Product imagery storage and CDN delivery | United States, global CDN | EU-U.S. Data Privacy Framework (DPF) |
| Resend | Transactional email delivery (receipts, password reset, alerts) | United States | EU-U.S. Data Privacy Framework (DPF) |
| Sentry | Error monitoring with PII redaction enabled | United States | Standard Contractual Clauses (2021/914) |
| Google (Sign-In, Analytics) | Federated login; consent-gated analytics | United States | EU-U.S. Data Privacy Framework (DPF) |
| Apple (Sign-In) | Federated login (iOS / mobile) | United States | Apple Privacy Policy / SCCs |
| Vercel | Frontend hosting and CDN | United States, global | EU-U.S. Data Privacy Framework (DPF) |
Questions about sub-processors, DPAs, or international transfer mechanisms can be sent to dpo@masarapcafe.com.