Subprocessors
Last updated:
These are the third-party services we rely on to deliver DropifyXL. Each one is bound by a Data Processing Addendum at least as protective as our own. We review this list whenever we add or remove a vendor.
| Processor | Purpose & data | Region | DPA |
|---|---|---|---|
| Shopify, Inc. | Source platform — the merchant installs DropifyXL on their Shopify store and grants read-only access to catalog, orders, customers, and visitor events. Store catalogOrdersCustomersVisitor events | Global (Canada HQ) | View |
| Supabase | Managed Postgres database — primary store for shop, product, order, customer, recommendation, and newsletter data. Encrypted at rest (AES-256), encrypted in transit (TLS). All merchant + newsletter data | EU (Frankfurt) or US (N. Virginia), chosen per project | View |
| Vercel | Hosts the embedded Shopify app + the marketing site. Receives request metadata and application logs only — no merchant data persists on Vercel. Request metadataIP addressesApplication logs | Global edge (US-primary) | View |
| DigitalOcean | Runs the standalone cron server that triggers scheduled jobs on the Vercel-hosted app. No merchant data is stored on DigitalOcean. Job execution logs | US / EU | View |
| Resend | Sends transactional email (weekly digest, trial-ending reminder, unsubscribe confirmation). Processes recipient email addresses and rendered message bodies. Recipient emailMessage content | US | View |
| OpenAI | Polishes recommendation copy when LLM_PROVIDER=openai. Receives only rule-level structured data (e.g. product title, counts, percentages) — never end-customer PII, never raw order or customer records. Aggregated rule output | US | View |
| Google (Gemini) | Alternative LLM provider — used when LLM_PROVIDER=gemini. Same scope as OpenAI: rule-level structured data only. Aggregated rule output | Global | View |
International transfers
Where a processor is located outside your region, transfers rely on Standard Contractual Clauses (SCCs) and any applicable supplementary measures (encryption, access controls, audit rights).
Notice of changes
We'll update this page when a subprocessor is added or removed. Enterprise merchants can request change notifications via the contact form.
Questions about this list? Open a ticket.