Project Strata — Browser-Native Financial Analytics

Back to Privacy PolicySUBPROCESSORS
SubprocessorsLast updated: May 20, 2026 · Version 2.0
The table below lists every subprocessor that processes Strata user personal data under GDPR Art. 28. We keep it in sync with our internal DPA register and review it quarterly. Items marked “N/A (no personal data)” are upstream market-data providers that we query without sending any user-identifying information.
#SubprocessorPurposeRegionTransfer mechanism
1Stripe Payments Europe LtdPayments + Customer IDIE → US fallbackDPF + SCCs
2Vercel IncHosting + Functions + BlobUS (sea1 + iad1)DPF + SCCs
3Vercel Web AnalyticsAggregate traffic (cookie-free, server-side IP+UA hash 24h)USDPF + SCCs (Art. 6(1)(f) LIA)
4Vercel Speed InsightsWeb vitals (cookie-free, no identifiers)USDPF + SCCs (Art. 6(1)(f) LIA)
5Neon IncPostgres (primary DB)EU (eu-central-1, Frankfurt)EU-only — no transfer
6Sentry (Functional Software Inc)Error monitoring + on-error replay (text-masked)USDPF + SCCs
7Google LLCOAuth identity (sign-in only)USDPF + SCCs
8Resend IncTransactional email (OTP, DSR, billing receipts)USDPF + SCCs
9Upstash IncRate limit + KVUS (iad1)DPF + SCCs
10Inngest IncDurable AI jobsUSDPF + SCCs
11Microsoft Corporation — Azure AI FoundryPrimary AI route: DeepSeek V4, GPT-4o, Anthropic Claude (US inference under MS DPA)EU (Sweden Central) — Claude inference: US, per Microsoft DPA, EU-native target pendingMicrosoft DPA + SCCs/DPF for any control-plane US fallback
12Amazon Web Services — Bedrock FrankfurtEU-residency-today Claude inference (eu.anthropic.* cross-region IDs)EU (eu-central-1, Frankfurt)AWS Customer Agreement + AWS DPA (EU-only)
13Google LLC — Vertex AIGemini-family AI tasksEU (europe-west4, Netherlands)EU-only via Vertex-EU endpoint + SCCs
14Anthropic PBC (direct API, fallback only)Claude fallback when EU routes unavailableUSDPF + SCCs (zero-retention enterprise DPA pending)
15OpenAI LLC (direct API, fallback only)GPT-family fallback when EU routes unavailableUSDPF + SCCs (zero-retention enterprise DPA pending)
16Mistral AIMistral-family AI tasksEU (Paris) — Mistral is EU-basedNo transfer outside EEA
17Financial Modeling PrepEquity fundamentalsUSDPF / N/A (no personal data)
18Alpha VantagePrice historyUSN/A (no personal data)
19Twelve DataPrice history fallbackUSN/A (no personal data)
20Federal Reserve Economic Data (FRED)Macro ratesUSN/A (public-data API)
21OpenFIGI (Bloomberg LP)Bond identifier lookupUSN/A (controller-to-controller)
22EODHD (EOD Historical Data)Global price historyEU (servers in EU available)N/A (public market data only)
Change-notification policyWe will notify administrators of paid accounts at least 30 calendar days in advance before adding or replacing a subprocessor on this list. The notification is sent by email and reflected here. The 30-day clock starts when the notification email is sent, not when the underlying DPA is signed.
Customers who object to a new subprocessor within the notice period may terminate the affected service for material breach with a prorated refund of any unused pre-paid term.
Region changes that reduce transfer exposure (for example moving a US-hosted service to an EU region) do not require advance notice.
Project Strata © 2026|Wynex Labs|Changelog|Terms
Built for analysts

Subprocessors

Last updated: May 20, 2026 · Version 2.0

The table below lists every subprocessor that processes Strata user personal data under GDPR Art. 28. We keep it in sync with our internal DPA register and review it quarterly. Items marked “N/A (no personal data)” are upstream market-data providers that we query without sending any user-identifying information.

#	Subprocessor	Purpose	Region	Transfer mechanism
1	Stripe Payments Europe Ltd	Payments + Customer ID	IE → US fallback	DPF + SCCs
2	Vercel Inc	Hosting + Functions + Blob	US (sea1 + iad1)	DPF + SCCs
3	Vercel Web Analytics	Aggregate traffic (cookie-free, server-side IP+UA hash 24h)	US	DPF + SCCs (Art. 6(1)(f) LIA)
4	Vercel Speed Insights	Web vitals (cookie-free, no identifiers)	US	DPF + SCCs (Art. 6(1)(f) LIA)
5	Neon Inc	Postgres (primary DB)	EU (eu-central-1, Frankfurt)	EU-only — no transfer
6	Sentry (Functional Software Inc)	Error monitoring + on-error replay (text-masked)	US	DPF + SCCs
7	Google LLC	OAuth identity (sign-in only)	US	DPF + SCCs
8	Resend Inc	Transactional email (OTP, DSR, billing receipts)	US	DPF + SCCs
9	Upstash Inc	Rate limit + KV	US (iad1)	DPF + SCCs
10	Inngest Inc	Durable AI jobs	US	DPF + SCCs
11	Microsoft Corporation — Azure AI Foundry	Primary AI route: DeepSeek V4, GPT-4o, Anthropic Claude (US inference under MS DPA)	EU (Sweden Central) — Claude inference: US, per Microsoft DPA, EU-native target pending	Microsoft DPA + SCCs/DPF for any control-plane US fallback
12	Amazon Web Services — Bedrock Frankfurt	EU-residency-today Claude inference (eu.anthropic.* cross-region IDs)	EU (eu-central-1, Frankfurt)	AWS Customer Agreement + AWS DPA (EU-only)
13	Google LLC — Vertex AI	Gemini-family AI tasks	EU (europe-west4, Netherlands)	EU-only via Vertex-EU endpoint + SCCs
14	Anthropic PBC (direct API, fallback only)	Claude fallback when EU routes unavailable	US	DPF + SCCs (zero-retention enterprise DPA pending)
15	OpenAI LLC (direct API, fallback only)	GPT-family fallback when EU routes unavailable	US	DPF + SCCs (zero-retention enterprise DPA pending)
16	Mistral AI	Mistral-family AI tasks	EU (Paris) — Mistral is EU-based	No transfer outside EEA
17	Financial Modeling Prep	Equity fundamentals	US	DPF / N/A (no personal data)
18	Alpha Vantage	Price history	US	N/A (no personal data)
19	Twelve Data	Price history fallback	US	N/A (no personal data)
20	Federal Reserve Economic Data (FRED)	Macro rates	US	N/A (public-data API)
21	OpenFIGI (Bloomberg LP)	Bond identifier lookup	US	N/A (controller-to-controller)
22	EODHD (EOD Historical Data)	Global price history	EU (servers in EU available)	N/A (public market data only)

Change-notification policy

We will notify administrators of paid accounts at least 30 calendar days in advance before adding or replacing a subprocessor on this list. The notification is sent by email and reflected here. The 30-day clock starts when the notification email is sent, not when the underlying DPA is signed.

Customers who object to a new subprocessor within the notice period may terminate the affected service for material breach with a prorated refund of any unused pre-paid term.

Region changes that reduce transfer exposure (for example moving a US-hosted service to an EU region) do not require advance notice.