HOME / SUBPROCESSOR NOTICE
Processing Partners

Subprocessor Notice

How production subprocessors will be identified, assessed, governed, and communicated before they process customer personal data.

Last Updated: 2026-07-16Version v2.0

This policy is a draft that requires review and approval by qualified legal counsel before public launch. It is provided for general information only and does not constitute legal advice. RYHA Technologies may update it from time to time, and only a formally approved published version should be treated as binding.

Current Approval Status

This draft does not represent an approved or complete production subprocessor list. No counsel approval artifact or executed-provider inventory was found for this review. Provider names below describe roles evidenced by the current frontend, configured service paths, and provider-facing terms; they do not prove that a DPA has been executed, a particular region or transfer mechanism is approved, or every production recipient has been identified. Before launch, RYHA must publish a counsel-approved, versioned register based on deployed data flows, applicable contracts, customer configuration, and security and privacy review.

Evidence-Backed Current Service Roles

• Clerk — authentication processor for customer end-user account, verified identity, session, and related authentication data. A newly persisted waitlist email may also be synchronized to Clerk for a best-effort waitlist notification. • Supabase — storage for the authoritative waitlist record and operational form submissions such as contact and job-application records, together with configured content and administration records. • Cloudflare — frontend hosting and edge delivery, including network and request metadata used for delivery, abuse prevention, rate limiting, and configured sampled invocation and security telemetry. • Dodo Payments — hosted payment checkout and related billing, subscription, tax, fraud-prevention, and transaction processing. Dodo is Merchant of Record only where the applicable checkout, buyer terms, order, or executed contract identifies the relevant Dodo entity in that role. These descriptions are purpose-limited. They do not certify provider security, promise a retention period, identify every affiliate or onward processor, or change the draft status of this notice.

Required Register Information, Due Diligence, and Changes

For each approved subprocessor, the final register should state the legal name and relevant affiliate, service purpose, data categories, affected feature, processing and storage locations, retention or deletion behavior, security review status, approved international transfer mechanism, and effective date. Before authorization, RYHA should assess privacy and security terms, confidentiality, incident duties, deletion, audit support, availability dependencies, and restrictions on secondary use or model training. The executed DPA must require appropriate flow-down obligations. The final change-notification process must define subscriptions, any required advance-notice period, material-change information, objection grounds, review steps, and available remedies without inventing a period or remedy before approval.

Transfers, Customer Choices, and Contact

Processing regions and international safeguards must reflect the actual service configuration and approved transfer assessment. Customer-selected integrations may have separate terms and may act under the customer’s instructions. Questions about the draft register, data locations, or change notices can be sent to privacy@ryha.dev. The public register must not be marked complete until operational evidence and legal approval confirm every production recipient.

Related policies