Sub-processors

The third parties that process data on our behalf — and yours.

A complete list of the vendors ScanPosture relies on, their purpose, the categories of data they touch, and the region in which they process it.

Back to security

Supabase · UK (London)Vercel · EU edgeResend · EU/US

Sub-processors

8

Total in production stack

UK primary store

1

Customer data hosted in London

EU operations

4

Application + delivery routed through EU

No customer data

2

Routing / source code only

Vendor list

Grouped by where data is processed

The order matters. Customer data lives in the UK; everything else is operational tooling routed through Europe. Two vendors don’t see customer data at all.

United KingdomPrimary data store

Supabase

United Kingdom (London, eu-west-2)

Purpose

Primary database, authentication backend and storage

Data category

All customer-tenant data — accounts, scan results, findings, audit logs, billing references

Postgres + Row-Level Security; AES-256 at rest at the storage layer.

European UnionApplication + delivery infrastructure

Vercel

EU regions; UK / EU traffic served from EU edge

Purpose

Application hosting, serverless compute, scheduled jobs

Data category

Request metadata, application logs, build artefacts. No customer data persisted at the edge.

Resend

EU / US (recipient address only on the receiving leg)

Purpose

Transactional email delivery (account, scan summaries, alerts)

Data category

Recipient email address, message subject, message body, delivery status

Stripe

EU / US (Stripe data residency model)

Purpose

Subscription billing and payment processing

Data category

Billing-account email, invoice history, card token (handled by Stripe — never stored by ScanPosture). Per-month seat counts pushed from completed scans.

Plausible Analytics

European Union (Plausible is EU-hosted)

Purpose

Cookieless web analytics on the public marketing site only

Data category

Page views, referrer, anonymised location at country level. No cookies, no individual identifiers.

Public marketing site (scanposture.com) only. Not loaded inside the customer application.

Global edgeRouting + abuse mitigation

Cloudflare

Global edge network

Purpose

DNS, edge proxy, Turnstile bot challenge on signup forms

Data category

Request metadata only. Turnstile receives a session token, not user-entered fields.

Customer’s own tenantRead-only by admin consent

Microsoft (Graph + Exchange Online + SharePoint Online)

Customer’s own Microsoft tenant region

Purpose

Read-only assessment of customer Microsoft 365 / Entra ID configuration

Data category

Configuration metadata only — read-only Graph, Exchange and SharePoint admin scopes. No mailbox or document content. No write actions.

Microsoft is the customer’s own primary processor; ScanPosture acts on the customer’s behalf via admin consent.

United StatesNo customer data

GitHub

United States

Purpose

Source-code hosting, CI/CD pipelines (deploy workflows)

Data category

Source code only. No production customer data is ever stored in or transmitted via GitHub.

Change notification

We notify customers of changes to this list in advance, as required by the ScanPosture Data Processing Agreement. Customers may object to a proposed sub-processor change in line with the terms set out in the DPA. Questions about this list? hello@scanposture.com.