Sub-processors
Last updated: June 2026
Emplora uses the following third-party sub-processors to deliver our service. We have a written Data Processing Agreement with each, and where data is transferred outside the EEA or UK we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses, or the UK International Data Transfer Addendum (UK IDTA).
Change notifications
We commit to notifying customer organisations at least 30 days in advance before adding or replacing a sub-processor that has access to customer data. Notification is delivered by email to the account owner on file. Business customers may object in writing within the 30-day window; if no objection is raised, the change takes effect as scheduled.
| Sub-processor | Purpose | Data processed | Region |
|---|---|---|---|
| Vercel Inc. | Application hosting and edge network | All Emplora traffic, request logs (IP retained 30 days for abuse prevention) | United States (DPF certified) |
| Neon Inc. | Primary PostgreSQL database | All workforce data: organisations, employees, schedules, time-off, sick leave | EU (Frankfurt) for Emplora's project |
| Clerk, Inc. | Manager authentication, session management | Email, name, password (hashed), session tokens, sign-in events | United States (DPF certified) |
| Resend Inc. | Transactional email delivery | Recipient email, message body, delivery status (employee invitations, password resets, billing notifications) | United States (DPF certified) |
| Functional Software, Inc. d/b/a Sentry | Error monitoring and performance tracing | Anonymised error reports, page load timings. Cookies and auth headers scrubbed before transmission via `beforeSend` filter. | EU (Frankfurt) for Emplora's project |
| Google LLC (Google Analytics 4) | Aggregated marketing-site analytics | Page views, browser type, referrer, approximate region. Loaded only on the marketing site. Identifiable data collected only with explicit user consent via cookie banner (Consent Mode v2, IP anonymisation enabled). | United States (DPF certified) |
| Ably Real-time Ltd. | Real-time notification delivery (schedule changes, time-off updates) | Channel IDs derived from organisation + location IDs; notification payloads (no PII beyond what is in the event metadata) | EU (Frankfurt) |
| Stripe, Inc. | Subscription billing and payment processing | Billing contact name and email, subscription plan, invoices. Card details are entered directly with Stripe and never touch Emplora's servers; for payment data Stripe acts as an independent controller under its own privacy policy. | United States (DPF certified) |
| Svix, Inc. | Webhook signature verification library for inbound service events | Webhook payloads from our authentication and email providers (event metadata, recipient email addresses) pass through signature verification. Processed transiently; nothing is stored. | United States (DPF certified) |
| Sanity.io (Lyra Network, Inc.) | Marketing blog content management | Blog post content authored by Emplora staff. No customer or employee data. | United States (DPF certified) |
Definitions
A "sub-processor" is a third party engaged by Emplora that processes personal data on behalf of an Emplora customer organisation, under our instruction, to deliver part of the service. This is distinct from third-party integrations a customer chooses to connect themselves (such as Slack, Google Calendar, etc.) which are not Emplora sub-processors.
Our obligations under GDPR Art. 28
- Every sub-processor has signed a Data Processing Agreement (or equivalent contractual safeguards) with us that flows down the same data-protection commitments we make to our customers.
- We only engage sub-processors who provide sufficient guarantees to implement appropriate technical and organisational measures.
- Where data is transferred outside the EEA / UK, we rely on (a) the EU-US Data Privacy Framework where the recipient is certified, (b) Standard Contractual Clauses approved by the European Commission, (c) the UK International Data Transfer Addendum (UK IDTA) for UK personal data, or (d) another lawful transfer mechanism under GDPR Chapter V.
- We maintain this page as an up-to-date public record of our sub-processors as required by GDPR Art. 28(2).
Questions
For sub-processor questions, DPA requests, or to object to a proposed sub-processor change, please contact us.