Sub-processors

Policy version 2026-06-25. The machine-readable equivalent of this list is available at /legal/subprocessors.json.

VentReport (the data controller) engages the third parties below to provide the application. Each is bound by a written processor agreement under Article 28 GDPR. We update this page whenever the list changes; if you have an active processor agreement with us, we notify you by email.

Status legend

Active

Currently processing personal data.

Planned

Configured for production but not yet receiving data. Will flip to Active on production launch.

Conditional

Only engaged when the user voluntarily triggers the path (e.g. signing in with that identity provider).

Notes

• Supabase — Project hosted in eu-north-1 (Stockholm). All customer data — Sites, Inspections, Measurements, CleaningReports, User accounts, Companies — lives in this Postgres instance.
• Vercel — Production deployment is configured to use Frankfurt / Paris / Dublin edge regions only. Disclosure listed as 'planned' until production launch flips it to 'active'.
• Cloudflare R2 — Bucket location set to EU jurisdiction (replicated across EU data centres). Phase 3d wires this up; until then, file uploads are not yet active. Pre-signed PUT URLs are used for direct browser → R2 upload with content-hash addressing.
• Sentry — EU data region — events are ingested via *.ingest.de.sentry.io and stored within the European Union. Captures error stack traces and minimal request context to diagnose faults; personal data is scrubbed before send (sendDefaultPii is off and a beforeSend hook strips cookies, authorization headers, request bodies, query strings and user identifiers — only the URL path is retained). No customer compliance data is sent. Listed as 'planned' until the production DSN is configured at launch — until then the SDK is a no-op and transmits nothing.
• Cloudflare Turnstile — Loaded only on /contact (lazy-loaded on first form interaction). The widget collects browser signals (IP address, User-Agent, mouse / key input timing, and minimal browser-fingerprint data) and sends them to Cloudflare for the bot-or-human decision. Distinct from Cloudflare R2: different product, different data flow, different endpoint (challenges.cloudflare.com). Functional necessity for the anti-spam stack — does NOT require visitor consent under the CMP (strictly-necessary category), but is disclosed here for full transparency per GDPR Art. 13.
• Resend — EU region. Recipient email + email content (the magic-link URL or reminder body) is shared with Resend for delivery only; no other personal data is transmitted.
• Google — Only triggered when a user voluntarily uses Google as their identity provider. The OIDC handshake exchanges Google's user-id token for a VentReport session. No customer data is sent to Google. US transfers rely on EU-US Data Privacy Framework adequacy + SCCs for redundancy.
• Google Analytics (gtag.js) — Consent-gated: gtag.js does not load until the visitor explicitly accepts analytics in the CMP banner. EDPB 5/2020 default-deny posture. Visitors who decline or haven't decided are not tracked. The gtag snippet sets cookies (_ga, _ga_<container>) under the ventreport.com domain. Toggle off in Cookie preferences uses Consent Mode v2 to halt further sends mid-session.
• Cloudflare Web Analytics — Consent-gated. Cloudflare Web Analytics is intentionally cookie-free and aggregates everything server-side; there are no per-user identifiers, no cross-site tracking, no fingerprinting. Beacon URL: static.cloudflareinsights.com/beacon.min.js. The single 'analytics' CMP toggle covers GA, Cloudflare, and Clarity together.
• Microsoft Clarity — Consent-gated. Clarity exposes a consent API (`clarity('consent', true|false)`) that pauses or resumes data collection without unloading the script — used to drive mid-session toggles via the CMP modal. Default PII masking covers form inputs; we do not explicitly opt in to recording inputs. Tag URL: www.clarity.ms/tag/<project-id>. Most invasive of the three analytics tools we use, so consent gating is non-negotiable.
• Microsoft (Entra ID) — Same rationale as Google. EU-tenant Entra deployments stay in EU; global tenants may route through US. SCCs cover the residual transfer.
• Anthropic — Triggered when a user interacts with the support assistant. The user's typed messages, and — for signed-in users — concise summaries of their own VentReport records retrieved to answer their questions, are sent to Anthropic's API. No bulk customer data is sent — only the active conversation. Under Anthropic's standard Data Processing Addendum (https://www.anthropic.com/legal/dpa) API inputs and outputs are NOT used to train Anthropic's models, prompts are retained for up to 30 days for trust-and-safety (abuse-prevention) purposes before deletion, and zero-retention can be requested in writing for specific use cases. Hosted in the United States; transfers covered by the EU Commission's Standard Contractual Clauses (Module 2) plus a Schrems II Transfer Impact Assessment.

Related

• Privacy Notice — full processing-purpose, lawful-basis, and retention details.
• Terms of Use — processor agreement is incorporated by reference.