Last updated: April 2026
EatSafe uses the following third-party service providers (subprocessors) to deliver the Service. This page supplements Sections 5 and 6 of the Privacy Policy. Material changes will be announced via the Service.
| Vendor | Location / Country of transfer | Purpose of processing | Safeguards |
|---|---|---|---|
| Stripe, Inc. | United States | Payment processing, qualified invoicing, fraud detection (card fingerprint) | SCC, PCI DSS Level 1, SOC 1/2 Type II |
| Supabase, Inc. | United States / Singapore / EU (depending on project region) | Authentication, PostgreSQL database, storage, RLS | SCC, SOC 2 Type II, HIPAA-ready, encryption at rest |
| Vercel Inc. | United States | Hosting, CDN, serverless functions, access logs | SCC, SOC 2 Type II, ISO 27001 |
| Google LLC | United States | OAuth (Google Sign-In) | SCC, ISO 27001/27017/27018, SOC 2/3 |
| Apple Inc. | United States | OAuth (Sign in with Apple) | SCC, ISO 27001, SOC 2 |
| Resend | United States | Transactional email (magic link, notifications) | SCC, TLS encryption |
| Sentry | United States | Error monitoring & performance (PII scrubbed) | SCC, SOC 2 Type II, data scrubbing |
We have entered into agreements with each subprocessor that require processing only within the specified purpose, prohibit improper use, mandate appropriate technical and organizational safeguards, require employee supervision, regulate sub-subprocessor selection, and prohibit further transfer of personal data.
Information on the personal-data protection regimes of each transfer destination is published by Japan’s Personal Information Protection Commission (https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/#gaikoku ). The United States does not have a comprehensive federal personal-data protection law and is regulated by state-level and sector-specific laws.