Sub-processors
These are the third-party services Whitecap Data relies on to deliver its products. We update this page within seven days of any material change. If you want advance notice of changes, email security@whitecapdata.com.
Last updated: 2026-05-28
Production sub-processors
These vendors process customer data as part of delivering the live service.
| Vendor | Purpose | Data processed | Location |
|---|---|---|---|
| Cloudflare | CDN, Workers, Pages, KV, DNS, R2 storage | Request metadata, IP, session JWT, KV-stored configuration | United States (global edge) |
| DigitalOcean | VPS hosting (cana.whitecapdata.com), backups | Application data, scraped Shopify data, backups | United States (NY1) |
| Clerk | Authentication, organization membership, sessions | User identity, email, session JWT, organization metadata | United States |
| Stripe | Subscription billing and payments | Billing email, business name, payment method (Stripe-hosted) | United States + global |
| Resend | Transactional email | Recipient address, email content | United States |
| Discord | Internal new-lead notifications (private #sign-up-notifications channel, staff-only) | Contact-form lead: name, business, email, message, coarse country | United States |
Customer-controlled data sources
These vendors hold data the customer has authorized us to access on their behalf. We process this data under the customer's direction and only for the purpose they have engaged us for.
| Vendor | Purpose | Notes |
|---|---|---|
| Shopify | Source of truth for product, sales, and inventory data we analyze for the customer | Per-customer credentials. Customer authorizes access; we do not store credentials outside our secrets infrastructure. |
Operational sub-processors
These vendors support our internal build, deployment, and monitoring.
| Vendor | Purpose | Data processed |
|---|---|---|
| GitHub (Actions) | Source code hosting and CI/CD | Source code, build artifacts, CI logs. No customer PII in CI. |
| Sentry | Application error tracking and incident telemetry | Exception messages, stack traces, request metadata. May include PII when an error occurs during a request that carries it. |
Services we don’t use to process your data
For clarity (and because we believe a sub-processor list should be honest about what’s not in it as well as what is): the deployed Whitecap Data products do not call third-party AI APIs at runtime. We do not send your data to Anthropic, OpenAI, or any other large-language-model provider as part of delivering the service. If that ever changes, this page will be updated and customers on the notification list will be emailed before the feature ships.
How we choose sub-processors
- Vendor must offer a written Data Processing Agreement (DPA) or equivalent.
- Vendor must support multi-factor authentication on administrative accounts.
- Vendor must have a published security posture (SOC 2, ISO 27001, or comparable evidence).
- Vendor must allow us to scope access to least privilege.
- If the customer's regulatory regime requires it (HIPAA BAA, FedRAMP, etc.), vendor must be authorized at that level — or we will not use them for that customer.
Change notification
If you are a customer with a contractual right to advance notice of sub-processor changes (typically 30 days), email security@whitecapdata.com to join the notification list. Material changes include adding a new vendor that processes customer data, or replacing an existing one.