SellerLegend Sub-Processors
Last reviewed: 06 Sep. 2025
Where a vendor is an active participant in the EU-US Data Privacy Framework (DPF) (and UK Extension), we rely on DPF and do not use SCCs. For non-adequate destinations, we use EU 2021 SCCs with the UK Addendum.
Please refer to the official list of DPF-certified organisations here: https://www.dataprivacyframework.gov/list
1) Hosting & Core Infrastructure
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Amazon Web Services (AWS) | IaaS hosting, databases, networking, object storage, KMS | US West (e.g., Oregon) primary | DPF Certified, ISO 27001/27017/27018 | |
| Cloudflare | CDN | Global network; caching in-region where available | DPF Certified, ISO 27001 |
2) Security, Performance & Threat Detection
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Trend Micro – Trend Cloud One | Workload security, threat detection (IPS/IDS) | EU (Germany/Netherlands) or Japan — region selectable; configured to EU | ISO 27001 | If Japan region is used, EU/UK→Japan relies on adequacy; onward transfers managed by Trend. |
| AWS CloudWatch | Infrastructure/application monitoring, metrics & logs | As per AWS region configuration | DPF Certified (covered under AWS) | Listed here for clarity; governed by AWS entry. |
3) Payments & Tax Processing
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Stripe | Payment processing | Global (regional routing; EU acquiring where applicable) | DPF Certified, PCI-DSS | |
| Quaderno (Recrea Systems S.L.) | VAT invoicing, EU OSS/MOSS tax compliance | EEA processing (EU data centres) | DPA on file, EEA residency | Quaderno processes in the EEA; no SCCs needed between SellerLegend↔Quaderno. |
| Xero | Accounting (invoicing, AR/AP, bank feeds) | New Zealand (EU/UK→NZ adequacy); vendor hosted | Adequacy (NZ); DPA on file | Xero does not store EU data in the EU; transfers rely on adequacy and vendor safeguards per Xero DPA. |
4) Customer Communication & Support
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Intercom | In-app messaging, support CRM | EU/US (vendor hosted) | DPF Certified | |
| Paperform | Web forms (contact, intake) | Vendor hosted | SCCs | Use limited to non-sensitive submissions. |
5) Analytics, Marketing & Advertising
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Google Analytics / Tag Manager | Website analytics, tag orchestration | Vendor hosted | DPF Certified | |
| Meta (Facebook) | Advertising & retargeting | Vendor hosted | DPF Certified | |
| Advertising & retargeting | Vendor hosted | DPF Certified | ||
| X (Twitter) Ads | Advertising | Vendor hosted | DPF Certified |
6) Application Monitoring & Error Reporting
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| SmartBear – Bugsnag | Error reporting, crash analytics | Vendor hosted | DPF Certified |
7) Internal Business, Email & Collaboration
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Google Workspace | Email, documents, storage | Vendor hosted | DPF Certified | |
| Microsoft 365 | Productivity suite | Vendor hosted | DPF Certified | |
| Slack | Team communications | Vendor hosted | DPF Certified | |
| Microsoft Teams | Meetings, chat & collaboration | Vendor hosted | DPF Certified |
8) Development & Testing / Front-End Assets
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| GitHub | Source control, CI | Vendor hosted | DPF Certified | |
| Postman | API collaboration & testing | Vendor hosted | DPF Certified | |
| Font Awesome (Fonticons, Inc.) | Icon fonts / CDN | Vendor hosted | DPF Certified | |
| DataTables (CDN) | Front-end table assets | Vendor hosted (global CDN) | SCCs |
9) Email & Forms
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Mailchimp / Mandrill | Marketing email & transactional relay | Vendor hosted | DPF Certified |
10) Development Partner
| Provider | Purpose | Location / Residency | Safeguards | Notes |
|---|---|---|---|---|
| Histone Web Solutions (Private) Ltd. | Software development & maintenance | Pakistan | EU SCCs (2021, Module 3); UK Addendum | Direct SCCs/UK Addendum executed for restricted transfers. Least-privilege access; no onward sub-processing without approval. |
Questions?
If you have any concerns about SellerLegend's use of Sub-Processors, please contact us at:
support@sellerlegend.com