Sub-processor List
Effective date: February 19, 2026 | Last updated: February 19, 2026
Qwick Cert, Inc. uses the following third-party sub-processors to operate and deliver the Service. This list is updated when we add, remove, or substantially change a sub-processor. Customers with a Data Processing Agreement (DPA) in place will receive at least 14 days' advance notice of new or changed sub-processors.
For questions about this list, email privacy@qwickcert.com.
Supabase
- Purpose
- Database (PostgreSQL), authentication, and encrypted secret storage (Vault)
- Data categories
- Account data, organization data, signing operation logs, encrypted Azure credentials
- Processing location
- United States (AWS us-east-1)
- Privacy policy
- supabase.com
Vercel
- Purpose
- Hosting and deployment of the Qwick Cert dashboard and API (Next.js)
- Data categories
- HTTP request logs, IP addresses, User-Agent strings
- Processing location
- United States (AWS us-east-1 and global edge network)
- Privacy policy
- vercel.com
Stripe
- Purpose
- Payment processing, subscription billing, and invoicing
- Data categories
- Billing email, name, payment method tokens, subscription metadata
- Processing location
- United States
- Privacy policy
- stripe.com
Resend
- Purpose
- Transactional email delivery (invitation emails, security alerts, billing notices)
- Data categories
- Email address, email content (invitation links, notification text)
- Processing location
- United States
- Privacy policy
- resend.com
Transfer Mechanisms
Where personal data originating in the European Economic Area (EEA) or United Kingdom (UK) is transferred to sub-processors in the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (for EEA transfers) or the UK ICO (for UK transfers). Copies of applicable SCCs are available on request at privacy@qwickcert.com.
Notification of Changes
We will update this page when sub-processors are added, removed, or materially changed. Customers with an active DPA will be notified by email at least 14 days before any new sub-processor begins processing personal data, providing an opportunity to object.