Sub-processors
Last updated: March 2026
In compliance with Article 28 of the GDPR, Kardu publishes the list of sub-processors that have access to personal data of our clients. All sub-processors are located within the European Union or the European Economic Area and are subject to data processing agreements.
| Provider | Category | Location | Purpose | Policy |
|---|---|---|---|---|
| Supabase | Database and authentication | Frankfurt, EU (AWS eu-central-1) | Platform data storage, user authentication and session management. | View → |
| Vercel | Infrastructure and hosting | Frankfurt, EU | Web application hosting and static content delivery. | View → |
| Brevo | Email communications | París, EU | Sending transactional emails (confirmations, alerts, evidence reminders). | View → |
| Stripe | Payment processing | Irlanda, EU | Secure payment processing for subscription plans. Only accesses billing data. | View → |
We will notify our clients at least 14 days in advance before adding or changing any sub-processor. To receive these notifications, make sure you have product communications enabled in your account.
For any questions about our sub-processors, write to us at contact@kardu.eu.