Subprocessors & Data Processing
Last updated: 15 July 2026
When you use Banquetly, you (or your organization) act as the data controller for the personal data you enter — your team members and your event guests. Banquetly acts as a data processor, processing that data only to provide the service on your behalf. To do so, we rely on a small set of trusted third parties (“subprocessors”). Each is bound by a data protection agreement that permits them to process personal data only as needed to deliver their service to us.
Current subprocessors
| Subprocessor | Purpose | Data processed | Processing location |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | All application data — account details, organization data, events, guest lists, floor plans | Australia (Sydney) |
| Vercel | Application hosting and content delivery | HTTP request metadata and IP addresses | United States |
| Stripe | Subscription billing and payment processing | Billing contact and payment details (held by Stripe; never stored on our servers) | United States |
| Resend | Transactional email delivery | Recipient email address and message content (verification, password reset, team invitations) | United States |
| Upstash | Rate limiting | IP addresses, as short-lived request counters | Singapore |
| Sentry | Error monitoring and diagnostics | Stack traces and request metadata, including the acting user's ID and IP address | United States |
| PostHog | Product analytics | Usage events, pages visited, device/browser type, and user & organization identifiers | United States |
International data transfers
Some subprocessors process data outside the country where your organization is based. Where a transfer of personal data crosses a border that requires a safeguard, we rely on the appropriate mechanism — such as the European Commission's Standard Contractual Clauses — as incorporated into our agreements with each subprocessor.
How we protect your data
Regardless of subprocessor, your data is protected by encryption in transit (TLS) and at rest (AES-256), tenant isolation enforced by database row-level security, organization-wide and per-user two-factor authentication, and an append-only audit log of sensitive actions. See our Privacy Policy for how we collect and use personal data.
Data Processing Addendum (DPA)
For business customers who need a Data Processing Addendum to satisfy their own compliance obligations (for example under the GDPR or UK GDPR), we offer one. Our standard DPA incorporates this subprocessor list and the transfer safeguards above. To request it, email privacy@banquetly.app from your organization's account and we'll send it for signature.
Changes to this list
We will update this page before a new subprocessor begins processing customer personal data, and update the “Last updated” date above. Business customers with a signed DPA can request advance email notification of subprocessor changes so they have an opportunity to object.
Contact
Questions about our subprocessors or data processing? Email privacy@banquetly.app.