What is a sub-processor?
A sub-processor is a third-party service that we use to operate Mybjjstory and that, in the course of providing that service, processes your personal data on our behalf. Under GDPR Art. 28 we are accountable for the conduct of every sub-processor and must list them transparently.
This page is the canonical list. It is updated when a sub-processor is added or removed.
This list was last updated on 2026-05-23.
Current sub-processors
| Sub-processor | Service | Personal data they process | Location of processing |
|---|---|---|---|
| Supabase, Inc. | PostgreSQL database, authentication, file storage | All Mybjjstory user data — profile, training sessions, social interactions, evaluations, photos, audit logs | European Union — West EU (Ireland) |
| Vercel, Inc. | Application hosting, edge functions, CDN | Request metadata (URL, method, IP for routing). Server function execution is pinned to Frankfurt (fra1). Static assets served from Vercel's global CDN are not personal data. | European Union — Frankfurt (server functions); global CDN for non-personal assets |
| Google LLC | Single sign-on via "Sign in with Google" — only if the user chooses this method | Email address, Google user ID, OAuth tokens | United States, under EU Standard Contractual Clauses |
Transfers outside the EU/EEA
Google is a US-based company. When a user signs in with Google, their authentication request is processed by Google in the US. Google relies on the EU Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) for these transfers, supplemented by its Data Processing Amendment.
No other sub-processor processes Mybjjstory data outside the EU/EEA.
How we choose and review sub-processors
Before engaging a sub-processor, we require:
- A signed Data Processing Agreement (DPA) consistent with GDPR Art. 28(3)
- Evidence of appropriate technical and organisational measures (encryption at rest and in transit, access controls, audit logging)
- For non-EU sub-processors: an adequacy decision or appropriate safeguards (Standard Contractual Clauses)
- Documented breach notification commitments aligned with our 72-hour obligation
Notifications of changes
If we add a new sub-processor or change an existing one's role in a way that affects you, we will update this page and the "last updated" date at the top. For material changes (a new sub-processor, or one that processes new categories of personal data) we will also notify you by email so you have the chance to object before the change takes effect.
If you object to a new sub-processor we will work with you to find an alternative, or you may close your account; see the Privacy Policy for how account deletion is handled.
Contact
Questions about our sub-processors? {{TODO: privacy@mybjjstory.com}}.