Legal

Sub-processors

Last updated 2026-05-24.

A "sub-processor" is a third party that processes customer personal data on our behalf. Resolute Security uses the providers below to operate the service. Each is bound by their own privacy and security commitments, plus contractual data-processing agreements (DPAs) with us where applicable.

Customers who have signed our DPA receive at least 30 days notice before we add or replace a sub-processor; you can subscribe to changes by emailing privacy@resolute-security.com.

Data storage

VendorRoleDataRegionCertifications

Neon

Neon, Inc.

Their DPA ↗		Managed Postgres — primary data store for all customer records.
  • · Account profile
  • · Org and team data
  • · Compliance assessments
  • · Scan results
  • · Audit logs
US (AWS us-east-1)
  • · SOC 2 Type II
  • · ISO 27001

Infrastructure

VendorRoleDataRegionCertifications

Fly.io

Fly.io, Inc.

Their DPA ↗		Application + worker hosting (compute, networking).
  • · Request payloads in transit
  • · App-level logs (no body content)
US + EU (per app region)
  • · SOC 2 Type II

Upstash

Upstash, Inc.

Their DPA ↗		Managed Redis — background-job queue + ephemeral rate-limit state.
  • · Job payload metadata (scan targets, recipient ids)
  • · Rate-limit counters
US (AWS us-east-1)
  • · SOC 2 Type II

Cloudflare

Cloudflare, Inc.

Their DPA ↗		CDN, DNS, DDoS mitigation, WAF in front of the application.
  • · Request metadata in transit (IP, headers, URL)
  • · TLS termination
Global edge
  • · SOC 2 Type II
  • · ISO 27001
  • · PCI DSS Level 1

Email delivery

VendorRoleDataRegionCertifications

Resend

Resend, Inc.

Their DPA ↗		Transactional email delivery (magic links, alerts, digests, training).
  • · Recipient email addresses
  • · Email subject + body
  • · Delivery + bounce events
US
  • · SOC 2 Type II

Payments

VendorRoleDataRegionCertifications

Stripe

Stripe, Inc.

Their DPA ↗		Payment processing, subscription management, invoicing.
  • · Billing contact
  • · Payment method (tokenized; card data never touches our servers)
  • · Subscription + invoice records
US + EU
  • · PCI DSS Level 1
  • · SOC 1 / SOC 2
  • · ISO 27001

Authentication

VendorRoleDataRegionCertifications

Google

Google LLC

Their DPA ↗		OAuth sign-in (only invoked when a user chooses Google sign-in).
  • · Google account id
  • · Email address
  • · Display name
US + global
  • · SOC 2 Type II
  • · ISO 27001
  • · ISO 27017
  • · ISO 27018

Microsoft

Microsoft Corporation

Their DPA ↗		OAuth sign-in + M365 integration for connected tenants.
  • · Entra account id
  • · Email address
  • · Directory snapshot (for connected tenants)
US + global
  • · SOC 2 Type II
  • · ISO 27001
  • · FedRAMP High

Monitoring & observability

VendorRoleDataRegionCertifications

Sentry

Functional Software, Inc.

Their DPA ↗		Error and exception monitoring (stack traces + metadata only).
  • · Stack traces
  • · Request headers (PII scrubbed)
  • · User id (numeric, not email)
US
  • · SOC 2 Type II
  • · ISO 27001
  • · HIPAA-eligible

Related documents