Subprocessors
Last updated: February 9, 2026
This page lists the third-party service providers (“Subprocessors”) that TruUp (“we”, “us”, “our”) engages to help provide, maintain, and support our Services. Some of these providers may process personal data on behalf of our customers in accordance with our Data Processing Agreement (DPA) and applicable data protection laws.
We carefully select Subprocessors based on their security practices, reliability, and ability to meet our data protection requirements. Each Subprocessor is bound by written agreements that impose data protection obligations at least as protective as those described in our DPA.
This list may change over time as we add or remove providers. Where required by law or our DPA, we will provide notice of material changes.
1. How We Use Subprocessors
We use Subprocessors for purposes such as:
- Hosting and infrastructure (cloud platforms, databases, content delivery).
- Application monitoring, logging, and error tracking.
- Customer support and communication tools.
- Email delivery and notifications.
- Analytics and product usage insights.
- Payments and subscription billing.
- Internal productivity and collaboration tools (limited personal data, where applicable).
Subprocessors only process data to the extent necessary to perform the services we have engaged them for, and they are not permitted to use personal data for their own independent purposes.
2. Core Infrastructure and Hosting Subprocessors
These providers host and run the core TruUp application, store primary application data, or support infrastructure-level services.
| Subprocessor | Service Provided | Data Categories Processed | Primary Regions / Locations |
|---|---|---|---|
| Self-hosted VPS (RackNerd) | Application hosting, API servers | All application data, including merchant and order data | United States |
| PostgreSQL (self-hosted) | Primary application database | All application data stored in primary databases | United States (co-located with VPS) |
| Cloudflare, Inc. | CDN, DNS management, SSL/TLS, DDoS protection | IP addresses, basic usage data, web content | Global (US-headquartered) |
3. Version Control and Development Tools
These providers support development, deployment, and version control of the Services.
| Subprocessor | Service Provided | Data Categories Processed | Primary Regions / Locations |
|---|---|---|---|
| GitHub (Microsoft) | Source code management, CI/CD pipelines | Limited application logs, deployment metadata | United States |
4. Domain Registration
| Subprocessor | Service Provided | Data Categories Processed | Primary Regions / Locations |
|---|---|---|---|
| Cloudflare Registrar | Domain name registration and management | Domain contact information (where required) | United States |
5. Future Subprocessors
Additional subprocessors may be added as the service matures. We will update this list and notify customers per our Data Processing Agreement.
As TruUp grows, we may engage additional subprocessors in the following categories:
- Application monitoring, logging, and error tracking
- Customer support and communication tools
- Analytics and product usage
- Payments and billing (if processing outside of app store billing)
- Marketing and email delivery services
- Internal productivity and collaboration tools
8. Data Protection and Security Commitments
For each Subprocessor that processes personal data, we:
- Enter into written agreements that require the Subprocessor to protect personal data with appropriate technical and organizational measures.
- Ensure that Subprocessors only process personal data on our documented instructions and for specified purposes.
- Require Subprocessors to assist us in fulfilling our obligations regarding data subject rights, data deletion, and security incident management, where relevant.
Our contracts with Subprocessors reflect the same or equivalent data protection obligations that apply to us under our DPA with customers.
9. International Data Transfers
Some Subprocessors may process data in countries outside of your home jurisdiction, including outside the European Economic Area (EEA) or the UK.
Where required by law, we ensure that such transfers are subject to appropriate safeguards, such as:
- Standard Contractual Clauses approved by the European Commission or UK authorities, or
- Other lawful transfer mechanisms or derogations permitted under applicable data protection laws.
10. Updates to This Subprocessor List
We may update this list from time to time as we add or remove Subprocessors or change how we use them.
Where required by our DPA or applicable laws:
- We will provide notice of material changes to this list (for example, via email, in-app notice, or a dedicated notifications page).
- You may have the right to object to a new Subprocessor within a specified period, as described in our DPA. If you reasonably object based on data protection concerns and we cannot provide a suitable alternative, you may be entitled to terminate the affected services in accordance with our DPA.
11. Questions
If you have questions about our Subprocessors or this list, you can contact us at:
TruUp TruUp
Email: [email protected]