Subprocessors
This page lists the providers Tadoro uses for operations, security, communication, billing, and development. It is the authoritative, always-current overview that the data processing agreement (DPA) with corporate customers refers to.
Necessary services
Always active, as required for operation, security, billing, and communication.
| Provider | Purpose | Location | Role | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) | Processor | Processing within the EU |
| Vercel | Hosting, edge network | EU (Frankfurt); global edge; US admin access (SCCs) | Processor | EU Standard Contractual Clauses for administrative US access; additionally EU-US Data Privacy Framework (Vercel Inc. certified) |
| Stripe | Payment processing (no card data stored with us) | Ireland + USA | Independent controller (payment) | EU Standard Contractual Clauses (contracting entity Stripe Payments Europe Ltd., Ireland); additionally EU-US Data Privacy Framework for onward US transfers |
| Resend | Transactional emails, drip series, business inquiries via /partners | USA | Processor | EU Standard Contractual Clauses; additionally EU-US Data Privacy Framework (Resend, Inc. certified) |
| Anthropic (Claude) | AI-assisted analysis (onboarding, conversation guides, assessor brief – subject names anonymised before transfer; the assessor brief processes health/care data on the basis of explicit Art. 9(2)(a) GDPR consent). Family Workspace only, not the Employer Layer. | Ireland + USA | Processor | EU Standard Contractual Clauses (not a Data Privacy Framework participant; SCCs only). Contractual ‘no training’ commitment on transmitted data. |
| Upstash | Redis (rate limiting, token counters) | EU (Frankfurt) | Processor | Processing within the EU |
| Sentry | Error + performance monitoring | EU | Processor | Processing within the EU |
| Cloudflare Turnstile | Bot protection (sign-up, password reset) | Global (edge); USA | Processor | EU Standard Contractual Clauses; additionally EU-US Data Privacy Framework (Cloudflare, Inc. certified) |
Optional services
Active only if you consent (Google Analytics) or only if you click the link yourself (Calendly).
| Provider | Purpose | Location | Role | Transfer safeguard |
|---|---|---|---|---|
| Google Analytics | Anonymous usage statistics (consent only) | USA | Independent controller | EU Standard Contractual Clauses; additionally EU-US Data Privacy Framework (Google LLC certified) |
| Calendly | Scheduling B2B2C consultations via /partners (only if you click the link) | USA | Independent controller | EU Standard Contractual Clauses; additionally EU-US Data Privacy Framework (Calendly, LLC certified) |
Employer Layer (provision via an employer)
If your employer provides Tadoro as an employee benefit, Tadoro processes certain data in the Employer Layer on behalf of the employer. The subprocessors used there, and the corresponding safeguards including any third-country transfers, are governed by the data processing agreement (Art. 28 GDPR) between Tadoro and the employer. The AI features (Anthropic) are used exclusively in the private Family Workspace, not in the Employer Layer. The allocation of roles is described in the Privacy Policy (§ 1a).
Changes
We update this list when providers change. Corporate customers are notified in advance of intended subprocessor changes in accordance with the DPA; a right to object on important data-protection grounds remains unaffected. Copies of the respective safeguards (DPAs, Standard Contractual Clauses) are available on request: datenschutz@tadoro.com
Last updated: May 2026