Legal · Sub-processors

Sub-processors

Every external vendor DevShot uses to deliver the service, what they process, and where to find their compliance evidence. Last updated 2026-04-15. Material changes are announced 30 days in advance to active customers via the email address on file.

Supabase

Postgres database, authentication, object storage

Data accessed: All customer data (RLS-isolated; AES-256 at rest with vendor-managed KMS).
Region: EU (Frankfurt) — primary; configurable per project.
Trust center: https://supabase.com/security
DPA: https://supabase.com/legal/dpa

Railway

Hosting for the DevShot console + tunnel process.

Data accessed: In-memory request traffic; container stdout logs purged on restart.
Region: EU-West — primary.
Trust center: https://railway.com/security
DPA: Available on request.

Cloudflare

TURN relay (Calls product) for WebRTC NAT traversal.

Data accessed: Encrypted DTLS-SRTP media + data channels; payload is opaque to Cloudflare.
Region: Global anycast.
Trust center: https://www.cloudflare.com/trust-hub/
DPA: https://www.cloudflare.com/cloudflare-customer-dpa/

Stripe

Billing — subscriptions, invoices, webhooks.

Data accessed: Customer email, billing address, payment method (tokenized — DevShot never sees the card number).
Region: EU + US (Stripe-managed).
Trust center: https://stripe.com/docs/security
DPA: https://stripe.com/legal/dpa
Sub-sub-processors: https://stripe.com/legal/sub-processors

Resend

Transactional email (signup confirmation, magic-link login, billing receipts).

Data accessed: Customer email address and the outbound message body.
Region: EU + US.
Trust center: https://resend.com/legal/security
DPA: Available on request.

Customer-supplied S3 providers (AWS S3, Cloudflare R2, Backblaze B2, MinIO)

Per-VM qcow2 / raw overlay storage. The customer chooses and connects the provider.

Data accessed: Full VM disk images. The customer is the data controller for these buckets — DevShot only processes the connection metadata (provider URL, bucket name, masked credentials).
Region: Customer-selected.
Trust center: Provided by the customer's chosen S3 vendor.
DPA: The customer's DPA with their S3 vendor governs.