This page lists the third-party service providers ("sub-processors") that Linecard engages to help deliver the Service. Each sub-processor is bound by a written agreement requiring it to process personal data only on Linecard's instructions and to maintain appropriate technical and organizational security measures.
This page is provided to support transparency under our Privacy Policy and our Data Processing Agreement with customers. Capitalized terms not defined here have the meaning given to them in our Terms of Service.
1. Current Sub-processors
The table below lists sub-processors that may process personal data in connection with the Service.
| Sub-processor | Function | Data processed | Location of processing |
|---|---|---|---|
| Paddle.com Market Ltd | Merchant of Record, payment processing, billing, invoicing, tax calculation and remittance, fraud screening | Billing name, billing address, country, tax ID, payment method details, transaction history | United Kingdom, European Union |
| Supabase, Inc. | Primary database, authentication, file storage | Account data, Customer Data, authentication tokens, uploaded files | United States, European Union |
| Vercel Inc. | Application hosting, content delivery, edge functions | Usage data, IP addresses, request metadata | United States, European Union (edge regions) |
| Anthropic, PBC | AI processing for commission statement extraction, contract parsing, and reconciliation features | Statement contents, contract text, and other Customer Data submitted to AI features | United States |
| Resend, Inc. | Transactional email delivery (account, billing, security, and product notifications) | Recipient email address, sender metadata, email content | United States, European Union |
| PostHog, Inc. | Product analytics, session analytics, feature usage measurement | Usage events, device and browser data, IP address (truncated where supported) | United States, European Union (EU Cloud) |
| Cloudflare, Inc. | DNS, content delivery, DDoS protection, WAF | IP addresses, request metadata, security event logs | Global edge network |
| GitHub, Inc. | Source code hosting, issue tracking, deployment pipelines (no Customer Data) | Account data of Linecard personnel only | United States |
2. Linecard Affiliates
Linecard does not currently engage affiliated entities to process personal data. If this changes, this page will be updated and customers will be notified in accordance with Section 4.
3. Sub-processor Due Diligence
Before engaging a sub-processor, Linecard conducts a review proportionate to the sensitivity and volume of personal data the sub-processor will process. The review covers:
- the sub-processor's security program, certifications, and audit reports (such as SOC 2 Type II or ISO 27001 where available);
- contractual terms requiring the sub-processor to apply security measures at least as protective as those Linecard applies;
- the location of processing and the lawful basis for any international data transfer, including reliance on Standard Contractual Clauses or the UK International Data Transfer Addendum where applicable;
- breach notification obligations;
- restrictions on onward sub-processing; and
- audit and termination rights.
Each sub-processor is subject to a written agreement consistent with Article 28 GDPR (and the UK equivalent) where applicable.
4. Changes to Sub-processors
Linecard may, from time to time, add, remove, or replace sub-processors. We will:
- update this page to reflect changes;
- provide at least 30 days' advance notice to customers of any new sub-processor that will process Customer Data, by email to the account's primary contact address and by in-app notification, where required by a Data Processing Agreement; and
- give affected customers the opportunity to object to the appointment of a new sub-processor on reasonable grounds relating to data protection.
If a customer raises a reasonable objection within the notice period that cannot be resolved, the customer may terminate the affected portion of its subscription without penalty by providing written notice. This right applies only where a Data Processing Agreement is in place and grants it expressly.
In limited cases, we may engage a new sub-processor without the full notice period — for example, where the change is necessary to address an immediate security, legal, or operational risk. In those cases, we will notify customers as soon as reasonably practicable.
5. Notification Sign-up
Customers with a Data Processing Agreement in place will receive sub-processor change notifications at the account's primary contact address by default. To add additional notification recipients, email privacy@linecard.co with the addresses you wish to include.
6. Data Processing Agreement
Customers who require a Data Processing Agreement may request one by emailing legal@linecard.co. Our standard DPA incorporates the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
7. Questions
For questions about this page, our sub-processors, or our processing arrangements: