Sub-processors
Cadences.work engages the following third parties to deliver the service. Each is bound by a Data Processing Agreement that includes the 2021 European Commission Standard Contractual Clauses where applicable.
We notify each active customer's primary admin contact by email at least 30 days before adding a new sub-processor that processes customer personal data. To raise an objection or ask a question, contact privacy@cadences.work.
Infrastructure
Vercel Inc. (USA)
- Purpose
- Application hosting, Next.js runtime, CDN / edge network, and domain registrar for cadences.work
- Data
- Data in transit, request logs, deployment artifacts, domain registration metadata
- Location
- Functions pinned to EU (Dublin, dub1); CDN cache global
- Certifications
- SOC 2 Type II, ISO 27001
- Transfer mechanism
- DPA + 2021 EU SCCs
Supabase Inc. (USA)
- Purpose
- Managed PostgreSQL, authentication, object storage
- Data
- All persistent customer data
- Location
- EU region (eu-west-1, Ireland)
- Certifications
- SOC 2 Type II, ISO 27001, HIPAA-eligible
- Transfer mechanism
- DPA + 2021 EU SCCs
AI & machine learning
OpenAI, L.L.C. (USA)
- Purpose
- LLM API for feedback summarisation and structured insights. All AI features are experimental and disabled by default; engaged only when a customer organisation explicitly opts in.
- Data
- Feedback text submitted for AI processing (text only). No profile data or identifiers added to the prompt by Cadences.
- Location
- USA
- Certifications
- SOC 2 Type II, CSA STAR
- Transfer mechanism
- DPA + 2021 EU SCCs. Provider's own data-usage and retention terms apply to API submissions.
Communication
Postmark / ActiveCampaign (USA)
- Purpose
- Transactional email: authentication, invitations, notifications
- Data
- Recipient email, message subject and body
- Location
- USA
- Certifications
- SOC 2 Type II, ISO 27001
- Transfer mechanism
- DPA + 2021 EU SCCs
Billing
Stripe Payments Europe Ltd (Ireland)
- Purpose
- Subscription billing, payment processing, invoicing
- Data
- Customer billing contact, VAT/GST IDs, card metadata (tokenised by Stripe — never touches Cadences systems), invoice line items. No customer-employee personal data flows here.
- Location
- Stripe-controlled; primary EU establishment in Ireland
- Certifications
- PCI-DSS Level 1, SOC 2 Type II, ISO 27001
- Transfer mechanism
- DPA + 2021 EU SCCs
Analytics & observability
Google LLC — Google Analytics 4 (USA)
- Purpose
- Aggregate usage analytics on site and product
- Data
- Device info, page views, hashed pseudo-IDs (IPs not stored)
- Location
- USA (Google data infrastructure)
- Certifications
- ISO 27001/27017/27018, SOC 2/3
- Transfer mechanism
- Google Cloud DPA + 2021 EU SCCs (Data Processing Terms accepted); Google Signals disabled; advertising features disabled; loaded only after explicit consent
Operations
GitLab Inc. (USA)
- Purpose
- Source code hosting, CI
- Data
- Source code only — no customer personal data
- Location
- USA
- Certifications
- SOC 2 Type II, ISO 27001
- Transfer mechanism
- GitLab DPA + 2021 EU SCCs
Sub-processor change procedure
- New sub-processors are listed above with a target activation date at least 30 days in the future.
- Subscribed customers are notified by email with the same 30-day window.
- A customer who objects on reasonable data-protection grounds may either accept a mutually agreed remediation, or terminate the affected service for cause.
- After 30 days without objection, the sub-processor is moved to the active list above.
EU and UK representatives
Nozemans Software Pte Ltd is established in Singapore. Representatives under Article 27 of the EU GDPR and the UK GDPR are being appointed and will be listed here once active. Until then, contact privacy@cadences.work for any GDPR-related correspondence.