子处理方
最后更新:2026-06-19
Last updated: June 19, 2026
Operator: PassportCraft LLC, 418 Broadway, Ste N, Albany, NY 12207, USA
Contact: privacy@passportcraft.com
Sub-processors
PassportCraft LLC engages the third-party service providers below ("sub-processors") to help deliver the PassportCraft platform. Each is bound by a written data protection agreement with obligations no less protective than our Data Processing Agreement, and we remain responsible to you for their performance.
Before engaging any sub-processor we conduct due diligence on its security and data-protection practices, and we review our sub-processors periodically (see Annex B.10 of our Data Processing Agreement).
This page is the authoritative, current list. It is referenced by our Terms of Service, Privacy Policy, and Data Processing Agreement (Annex C).
Recent changes
This block records additions, removals, and material changes to the list, with effective dates, so that returning readers can see what changed without re-reviewing the whole page.
- 2026-06-19 — Added an "Applies to" column distinguishing Core from Conditional sub-processors and a "Recent changes" block. No sub-processors were added or removed.
| Sub-processor | Applies to | Purpose | Data processed | Location | Transfer safeguard |
|---|---|---|---|---|---|
| Vercel Inc. | Core (all customers) | Platform hosting, content delivery, edge/serverless compute | All platform data in transit and at rest, server logs, IP addresses | USA / global edge network | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Supabase Inc. | Core (all customers) | Database hosting, authentication, file storage | Account data, product/DPP data, supplier data, authentication tokens, uploaded files | USA (company); customer data hosted in the EU (Ireland, AWS eu-west-1) | Data stored in the EU; SCCs for company access |
| Stripe Inc. | Core (all paying customers) | Payment processing and subscription management (PCI DSS Level 1) | Billing contact details, payment-method metadata, transaction records | USA / Ireland | EU-US DPF; SCCs; Irish entity for EU operations |
| Resend Inc. | Core (all customers) | Transactional and notification email delivery | Names and email addresses of recipients, email content | USA | Standard Contractual Clauses (SCCs) |
| Google LLC | Conditional (analytics only if you consent; sign-in only if you choose it) | Website and product analytics (Google Analytics 4, consent-gated); optional "Sign in with Google" | Anonymized usage/device data, interaction events; authentication identifiers for users choosing Google sign-in | USA | EU-US DPF; SCCs |
| OpenAI, L.L.C. | Conditional (only if you use AI features) | AI-assisted content features (sustainability-claim rewriting, care-symbol suggestions) | Text submitted by users to AI features | USA | SCCs; OpenAI does not use data submitted via its API to train its models by default |
| Microsoft Corporation | Conditional (only if you choose Microsoft sign-in) | Optional "Sign in with Microsoft" authentication (Microsoft Entra ID) | Authentication identifiers (email, name) for users choosing Microsoft sign-in | USA / EU | EU-US DPF; SCCs |
The "Applies to" column indicates whether a sub-processor handles every customer's data ("Core") or only processes data when you use a specific feature ("Conditional"). Google Analytics runs only after you accept analytics cookies through our consent banner; if you do not consent, no analytics data is sent.
Where a transfer outside the EEA/UK relies on Standard Contractual Clauses, we assess whether the safeguards provide adequate protection (transfer impact assessment) and apply supplementary measures where appropriate, as set out in Article 7 of our Data Processing Agreement.
Changes and notifications
We will give at least 30 days' advance notice before adding or replacing a sub-processor, so that customers may object on reasonable data-protection grounds as described in Article 6 of our Data Processing Agreement.
If a customer does not object in writing within the 30-day notice period, the new sub-processor is deemed accepted. If a customer objects on reasonable data-protection grounds, the objection is handled as set out in Article 6 of our Data Processing Agreement, which may, if the matter remains unresolved, allow the customer to terminate and receive a refund of prepaid fees.
There are two ways to track changes to this list:
- Email notifications. Email privacy@passportcraft.com with the subject line "Sub-processor updates" and we will add you to our notification list. Subscribers receive the advance notice described above.
- Watch the source. This list is maintained in our public version-controlled repository at a stable URL, and the "Recent changes" block above is updated whenever the list changes. Customers who prefer to monitor the page programmatically (for example, with a page- or repository-change watcher) can do so without contacting us.
We do not yet offer an automated in-page subscription form; the email notification list above is the channel we maintain.
Prior versions of this list are available on request — email privacy@passportcraft.com — as a complete, dated history is retained in our version-controlled records.