Draft — review with qualified counsel before publishing. This page lists the sub-processors PubSentry uses, in plain language, so a lawyer can confirm it against the live vendor relationships and turn it into a binding notice. It is not legal advice and is not the final policy. Bracketed placeholders must be completed before this page goes live.
This page identifies the third parties ("sub-processors") that [LEGAL ENTITY NAME] ("PubSentry," "we," "us") engages to help deliver the PubSentry service, and the categories of data each one touches. It supplements our Privacy Policy and Data Processing Addendum; where this list conflicts with the sub-processor section of the DPA, the most recently published version controls.
Effective date: [EFFECTIVE DATE] Controller / processor: [LEGAL ENTITY NAME], [REGISTERED ADDRESS] — questions to [DPO/CONTACT EMAIL]. Governing law: This page is governed by the laws of [GOVERNING JURISDICTION], subject to the mandatory provisions of applicable data-protection law.
What a sub-processor is
A sub-processor is a third party we authorise to process personal data on our behalf in the course of providing the Service — for example, the infrastructure that runs our datastores, or the vendor that sends a billing email. Engaging sub-processors is normal for a SaaS product, but it is something we keep deliberately small and disclose openly.
Two design choices keep this list short and low-risk:
- Data minimization at ingest. When the PubSentry tag scores a page view, the raw IP address and User-Agent are hashed server-side with HMAC-SHA256 and then dropped — never written to storage. What persists is a one-way keyed hash, derived network/geo attributes from an offline iptoasn dataset (no residential-proxy, VPN, or Tor lookup that would call a third party), and event metadata. There is no third-party IP-intelligence, ad-network, or data-broker call on the scoring path, so the visitor-signal flow has no sub-processor of its own.
- First-party, same-origin product. The dashboard and APIs are served from our own infrastructure; authentication uses a first-party session cookie. The few sub-processors below sit at the edges — infrastructure, payments, and email — not in the detection loop.
Our current sub-processors
We engage the following sub-processors. Each is bound by data-protection terms no less protective than those we owe you, and PubSentry remains responsible for their performance.
| Sub-processor | Role | Purpose | Data it touches | Processing location |
|---|---|---|---|---|
| [HOSTING PROVIDER NAME] | Hosting / infrastructure | Runs the application servers, ClickHouse (events), and Redis (reputation, accounts, configuration) that the Service is built on | Scored event metadata, hashed identifiers (HMAC-SHA256, raw IP/UA already dropped), reputation/velocity counters, account records (email, scrypt password hash, plan, billing state), TTL-bounded config — all at rest on infrastructure we operate | [HOSTING REGION / COUNTRY] |
| DodoPayments | Payments | Merchant-of-record and payment processing for account subscriptions (checkout, customer portal, billing webhooks) | Billing contact details and card / payment data — handled directly by DodoPayments under its own terms; PubSentry receives only billing status and customer/subscription reference IDs, not card numbers | Per DodoPayments' terms |
| Resend | Sends transactional and account email — sign-up/verification, billing notices, and alert/notification messages | Recipient email address and the message content of the email being sent | Per Resend's terms |
Note on the hosting provider. PubSentry self-hosts the application stack on infrastructure rented from [HOSTING PROVIDER NAME]. Because all persisted data lives there, this is the broadest sub-processor on the list and the one most relevant to a security review. Backend services are bound to localhost behind a reverse proxy and are not directly reachable from the public internet; data in transit is served over TLS. [Confirm the legal entity name, region, and any data-processing agreement reference for the hosting provider with counsel and engineering before publishing — and confirm encryption-at-rest commitments separately.]
What is not on this list
To set expectations honestly:
- No third-party tracking, advertising, or remarketing vendors touch visitor-signal data. The detection tag sets no cross-site advertising cookies and builds no cross-site profile.
- No third-party IP-intelligence or data-broker service is called when scoring traffic; network/geo enrichment uses an offline dataset we ship.
- Google Analytics 4 runs on the public marketing site only (
pubsentry.com) for aggregate, non-identifying measurement — never inside the authenticated dashboard or the detection path. It is described in our Cookie Policy rather than treated as a processor of customer or visitor data. [Confirm with counsel whether GA4 should be listed here as well, depending on how its data is characterised.]
Engaging new sub-processors and notifying you
We may add or replace a sub-processor as the product grows — for example, if we adopt a new email provider or add a second infrastructure region.
When we do, we commit to:
- Hold the new sub-processor to equivalent obligations. Any replacement or addition must be bound by data-protection terms at least as protective as those in our DPA, and PubSentry remains responsible for its acts and omissions.
- Give you advance notice of changes affecting visitor-signal or customer personal data. We will provide reasonable prior notice before a new or replacement sub-processor starts processing such data. [Set the notice period and channel with counsel — for example, a posted update to this page with a new effective date, an email, or a subscribable change list — and state it explicitly here.]
- Let you object on legitimate grounds. If you have a reasonable, data-protection-based objection to a new sub-processor, tell us at [DPO/CONTACT EMAIL]. We will work with you in good faith; if we cannot reasonably accommodate the objection, your remedy is to terminate the affected Service as described in the DPA and Terms.
This page is the canonical, up-to-date list. Changes will be reflected here with a revised effective date, and material changes affecting personal data will additionally be communicated through the notice channel above.
How to subscribe to changes
[Describe with counsel how a customer can subscribe to be notified of sub-processor changes — for example a mailing list, an account-settings toggle, or following this page — and link it here. Do not promise a channel that is not yet implemented.]
Contact
Questions about our sub-processors, or to request notice of future changes: [DPO/CONTACT EMAIL] — [LEGAL ENTITY NAME], [REGISTERED ADDRESS]. For how we handle data overall, see our Privacy Policy and Data Processing Addendum.
Draft for internal review. Do not treat any statement here as final or as legal advice until [LEGAL ENTITY NAME] has had it reviewed by qualified counsel.