This page lists the third-party service providers that Evertin AB ("Evertin") uses to process personal data on its behalf in the course of operating the Evertin platform. We update this list whenever we add, replace, or remove a subprocessor. We notify customers (brand admins) at least 30 days before any change takes effect, where reasonably practical.
For background on how Evertin shares personal data and on the legal safeguards applied to international transfers, see our Privacy Policy §4 and §5.
Active subprocessors
| Subprocessor | Purpose | Data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Primary database (Postgres), authentication, file storage. | All account data, all platform content (messages, applications, uploads), audit log. | European Union (Frankfurt region). | N/A — data remains in the EU. |
| Vercel | Application hosting, edge compute, content delivery, cron jobs, bot-detection (BotID), platform-level rate limiting. | All traffic to evertin.com and subdomains. Account data accessed in compute. Bot fingerprints for signup and form-submission anti-abuse. | United States, with edge presence globally. | EU Standard Contractual Clauses (SCCs) signed in Vercel's DPA. |
| Anthropic | AI processing for Creator Club application scoring, Brand Brain voice composition, Personal Brain voice composition, and other AI-assisted features. | Application answers (text), message excerpts used for voice training (with brand/employee consent), prompts and responses for each AI call. | United States. | EU Standard Contractual Clauses signed in Anthropic's DPA. Zero-data-retention: Anthropic does not retain or train on data sent via our API integration. |
| Resend | Transactional email delivery (account verification, welcome emails, password reset). | Email addresses of recipients, message body. | United States. | EU Standard Contractual Clauses signed in Resend's DPA. |
| Cloudflare | Bot detection on the signup form via Cloudflare Turnstile. | IP address, browser fingerprint signals during the challenge. | United States, with global edge presence. | EU Standard Contractual Clauses signed in Cloudflare's DPA. |
How we evaluate subprocessors
Before engaging a subprocessor, Evertin:
- Reviews the subprocessor's security and privacy practices, including any certifications (ISO 27001, SOC 2, etc.) they hold.
- Signs a Data Processing Agreement (DPA) that binds the subprocessor to process personal data only on Evertin's documented instructions and to provide equivalent safeguards.
- For subprocessors outside the European Economic Area, ensures appropriate transfer safeguards are in place (typically the EU Standard Contractual Clauses 2021/914).
We require all subprocessors to notify us promptly of any personal-data breach affecting Evertin data.
Changes to this list
This page is updated when subprocessors change. If you are a brand admin and need to be notified directly of changes (for your own GDPR record-keeping), email privacy@evertin.com and we will add you to the change-notification list.
Contact
For any subprocessor-related questions, contact us at privacy@evertin.com.
Other legal docs: Privacy Policy · Terms of Service · Acceptable Use Policy · Cookie Policy