Subprocessors
CRA Evidence engages the following third-party subprocessors to provide our services. This list is maintained in accordance with GDPR Article 28 and our Data Processing Agreement.
Change Notification
We will notify customers at least 30 days before adding or replacing a subprocessor. You may subscribe to updates by contacting privacy@craevidence.com.
If you object to a new subprocessor, you may do so within 30 days of receiving notice by contacting privacy@craevidence.com.
Infrastructure Subprocessors
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, compute, and storage | All customer data | eu-west-1 (Dublin, Ireland) |
| Amazon RDS | Managed PostgreSQL database | All structured data (accounts, products, vulnerabilities) | eu-west-1 (Dublin, Ireland) |
| Amazon S3 | Object storage | SBOMs, technical documents, firmware images | eu-west-1 (Dublin, Ireland) |
| Amazon CloudFront | Content delivery and edge security | Static assets, request routing | EU edge locations |
| Amazon SES | Transactional email delivery | Email addresses, notification content | eu-west-1 (Dublin, Ireland) |
Application Subprocessors
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Workspace | SMTP relay for email delivery | Email addresses, email content | Google global infrastructure (EU SCCs included) |
| Stripe | Payment processing | Billing name, email, payment method | United States (EU SCCs / DPF) |
| Cloudflare Turnstile | Bot protection on registration and login | IP address, browser fingerprint | Edge processing (no PII stored) |
| Tailscale | Zero-trust VPN for admin infrastructure access | Employee device metadata, network access logs (no customer content) | Coordination server: Canada/US; data traffic: peer-to-peer WireGuard within AWS EU |
| PostHog | Product analytics (cookieless mode on public pages, full analytics for authenticated users with consent) | Page views, feature usage, anonymised interaction data | EU (eu.posthog.com, Frankfurt, Germany) |
Self-Hosted Components
| Component | Purpose | Data Processed | Location |
|---|---|---|---|
| Trivy (Aqua Security) | Vulnerability scanning of SBOMs | SBOM content, package metadata | Self-hosted within our AWS infrastructure (eu-west-1) |
Notes
- All customer data is stored exclusively in the EU (AWS eu-west-1, Dublin, Ireland).
- Stripe processes payment data in the United States under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF).
- Google Workspace is covered by the Cloud Data Processing Addendum (CDPA), which includes Standard Contractual Clauses for international transfers.
- Cloudflare Turnstile processes data at the edge for bot protection only. No personal data is stored.
- Trivy runs entirely within our own infrastructure and does not send data to external services.
- Tailscale's coordination server handles device identity and key exchange only. All data traffic flows peer-to-peer using WireGuard encryption within our AWS infrastructure. No customer data passes through Tailscale servers.
- PostHog operates in cookieless mode on public pages, collecting only anonymised page view data without setting cookies or using local storage. For authenticated users who consent to analytics, PostHog provides feature usage insights. All data is processed in the EU (Frankfurt, Germany).
Contact
For questions about our subprocessors, contact privacy@craevidence.com.
Last updated: February 2026.