Data Processors and Sub-processors
Last updated: April 2026
In compliance with Article 28 of the GDPR, we publish the complete and up-to-date list of external providers involved in processing personal data on behalf of LongevityMap. A Data Processing Agreement (DPA) is in place with all of them, guaranteeing protection levels equivalent to those required by the GDPR.
For transfers outside the European Economic Area, we apply the Standard Contractual Clauses (SCC) approved by the European Commission, together with additional technical measures when necessary.
Providers
| Provider | Service provided | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Supabase | Database and authentication | All platform data | EU (Frankfurt) | DPA + AES-256 encryption + PITR |
| Vercel | Hosting, CDN and serverless functions | Access logs, HTTP requests | EU / US (global CDN) | DPA + SCC |
| Resend | Transactional email delivery | Email and message content | US | DPA + SCC |
| Stripe Payments Europe | Payment processing | Email, amount, card token (we do not store card numbers) | Ireland (EU) | Native GDPR DPA + PCI-DSS |
| Cloudinary | Image storage and transformation | Images uploaded by clinics (logos, photos, before/after) | US | DPA + SCC |
| Sentry | Error monitoring | Error stack traces (personal data automatically redacted) | US | DPA + SCC + PII redaction |
| Google Analytics (GA4) | Website usage analytics | Anonymous usage (only after explicit consent in the cookie banner), anonymized IP | US | DPA + SCC + IP anonymization + Consent Mode v2 |
| Google OAuth | Optional OAuth authentication ("Sign in with Google") | Email and name (only if the user chooses this login method) | US | OAuth 2.0 standard + DPA |
Updates to this list
If we add or replace any provider, we will update this page before the change takes effect. For greater transparency, we invite you to review it periodically. If you have questions about any provider, write to privacidad@longevitymap.co.