Legal
Subprocessors
Last updated: June 23, 2026
We engage carefully vetted third-party processors to operate the Service. Each is bound by a Data Processing Agreement that meets GDPR Article 28 requirements.
Current subprocessors
| Processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Lovable Cloud (Supabase) | Database, auth, storage, edge functions | EU (Frankfurt) | EU SCCs |
| Cloudflare | CDN, WAF, DDoS mitigation, edge runtime | Global edge | EU SCCs + DPF |
| Resend / SendGrid | Transactional email (verification, receipts) | EU / US | EU SCCs + DPF |
| Onfido / Sumsub (planned) | KYC identity verification & liveness | EU / UK | EU SCCs |
| ComplyAdvantage (planned) | Sanctions, PEP & adverse-media screening | EU / UK | EU SCCs |
| Stripe / Paddle (planned, post-license) | Payment acquiring | EU / US | EU SCCs + DPF |
| Sentry | Error monitoring (no personal data in payloads) | EU | EU SCCs |
Change notifications
We notify customers at least 30 days before adding or replacing a subprocessor by updating this page and emailing account holders who have opted in to product notices. You may object to a new subprocessor on legitimate grounds; if we cannot accommodate the objection you may terminate the account.
Audits & certifications
We review each subprocessor's SOC 2, ISO 27001, and equivalent attestations annually and document the assessment in our vendor-risk register.
Template notice: This document is a compliance-ready template and not legal advice. You must have a qualified gambling-law attorney review and adapt it to your jurisdiction(s) before relying on it.