Legal
Sub-processors
Third-party service providers and sub-processors Equaticket uses to operate the platform.
Last Updated:April 22, 2026
Contents (4 sections)
This page lists the third-party service providers and sub-processors that Equaticket uses to operate the Service. It is referenced in our Privacy Policy and, where applicable, any Data Processing Agreement entered into with Organizers.
Depending on the processing context, these vendors may act as Equaticket's processors (when processing data on behalf of Organizers), service providers (when supporting Equaticket's own controller-side processing), or sub-processors in a processor chain. Each vendor is authorized to process data only as necessary to provide its designated function, subject to contractual and technical safeguards where applicable.
Current Service Providers
| Provider | Function | Categories of Data Processed | Data Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Primary database, authentication (magic links, OAuth), real-time features (check-in sync) | Organizer account data, event data, order and ticket records, team member data, consent records, authentication tokens, check-in records | United States | SCCs (EU Commission Standard Contractual Clauses, 2021/914; Supabase DPA incorporates SCCs and UK addendum) |
| Stripe | Payment processing (Buyer ticket purchases via Stripe Connect Standard), Organizer subscription billing | Transaction metadata (payment/refund status, dispute notifications, Stripe account connection status). Full payment card data is processed by Stripe directly and is not accessible to Equaticket. | United States | DPF certified |
| Resend | Transactional email delivery (platform sending key for Free tier; BYO domain integration for paid tiers) | Recipient email addresses, email content and metadata, delivery status, bounce information | United States | DPF certified |
| Vercel | Application hosting, serverless compute (API routes, ISR), web analytics | HTTP request data, IP addresses, page view and performance metrics, geographic distribution | United States | DPF certified (EU-U.S., UK Extension, and Swiss-U.S. DPF) |
| Upstash | Redis caching, background job processing (QStash), transactional integrity controls | Session state, background job payloads (which may include order data, Buyer email addresses, and outbound webhook delivery queues) | United States | DPF certified (EU-U.S., UK Extension, and Swiss-U.S. DPF) |
| Cloudflare | CAPTCHA (Turnstile), DNS | IP addresses, device and interaction signals for bot detection | Global (Cloudflare edge network) | DPF certified |
| Sentry | Error monitoring and performance tracking | Error logs, stack traces, and performance data, with efforts to minimize unnecessary personal data in error reports | United States | DPF certified (EU-U.S., UK Extension, and Swiss-U.S. DPF) |
Notes
Data location: All primary application data is stored in the United States. Some providers operate global edge networks (such as Cloudflare) where data may be processed at the network edge closest to the user for performance and security purposes.
Transfer mechanisms: For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the applicable transfer mechanism noted for each provider. "DPF certified" indicates the provider is a certified participant in the EU-U.S. Data Privacy Framework (and, where applicable, the UK Extension and Swiss-U.S. Data Privacy Framework). "SCCs" refers to Standard Contractual Clauses approved by the European Commission. Transfer mechanism details for each provider are confirmed at the time of contracting and reviewed periodically. Where a provider's DPF certification status changes, we will update this page and assess alternative transfer mechanisms.
Organizer-designated third parties (outbound webhooks): Organizers on the Pro tier may configure webhook endpoints to receive event and order data. The systems receiving webhook data are designated by the Organizer and are not Equaticket sub-processors. Organizers are responsible for the privacy and security practices of their webhook receivers.
BYO Email: When an Organizer on a paid tier configures a custom sending domain, transactional emails are sent using the Organizer's domain identity through Resend's infrastructure. Equaticket continues to process email delivery metadata (delivery status, bounce information) regardless of the sender identity configuration.
Changes to This List
We may update this list from time to time as we add, replace, or remove service providers. When we make changes:
- This page will be updated with the new provider, its function, and the categories of data it processes.
- The "Last Updated" date at the top of this page will be revised.
- Where required by a Data Processing Agreement, we will provide advance notice to affected Organizers before engaging a new sub-processor, in accordance with the notification mechanism specified in the applicable DPA.
Material changes to our core infrastructure providers (database, authentication, payment processing, or email delivery) will also be reflected in an update to our Privacy Policy.
Questions
If you have questions about our service providers or data processing infrastructure, contact us at privacy@equaticket.com.