Sub-Processor List
Last Updated: 28.01.2026
This document lists all sub-processors currently authorized by Sonar Seed to process personal data in connection with the provision of the Sonar Seed application (the "App").
Overview
In accordance with our Data Processing Agreement (DPA), we maintain this list of sub-processors and provide advance notice of any changes. Merchants will be notified at least 30 days prior to engaging a new sub-processor or making material changes to an existing sub-processor's role.
Notification of Changes
Changes to this list will be communicated via:
- Email notification to the merchant's registered email address
- In-app notification displayed prominently in the App dashboard
- Updated timestamp on this page
Merchants may object to new sub-processors within 14 days of receiving notice by contacting legal@sonarseed.com.
Current Sub-Processors
1. Shopify Inc.
Purpose: E-commerce platform integration
Processing Activities:
- Creating and managing Draft Orders for product seeding
- Updating customer tags and metafields
- Reading order data for affiliate tracking
- OAuth authentication for merchant accounts
Data Categories:
- Merchant: Shop details, access tokens, product catalog
- Influencer: Shipping addresses (for Draft Orders only)
- End-Customer: Order details, discount code usage (ephemeral processing)
Location: Canada, United States
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II, ISO 27001, PCI DSS Level 1
Website: https://www.shopify.com
Privacy Policy: https://www.shopify.com/legal/privacy
DPA: https://www.shopify.com/legal/dpa
2. Klaviyo, Inc.
Purpose: Marketing automation integration (optional)
Processing Activities:
- Syncing influencer profiles to Klaviyo lists
- Updating influencer segments based on tier changes
- Triggering automated email flows for influencer milestones
Data Categories:
- Influencer: Name, email address, tier status, affiliate performance metrics
Location: United States
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II, ISO 27001
Website: https://www.klaviyo.com
Privacy Policy: https://www.klaviyo.com/legal/privacy
DPA: https://www.klaviyo.com/legal/data-processing-agreement
Notes: This sub-processor is only engaged if the merchant explicitly enables Klaviyo integration in App settings.
3. Resend, Inc.
Purpose: Transactional email delivery
Processing Activities:
- Sending magic login links to influencers
- Sending welcome emails to new influencers
- Sending shipping notifications for seeded products
- Sending commission milestone notifications
Data Categories:
- Influencer: Email address, first name
- Email content (transactional messages only)
Location: United States
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II (in progress as of Jan 2026)
Website: https://resend.com
Privacy Policy: https://resend.com/legal/privacy-policy
DPA: https://resend.com/legal/dpa
Notes: Resend does not store email content beyond delivery logs required for debugging (7-day retention).
4. Supabase, Inc.
Purpose: Database, authentication, and file storage
Processing Activities:
- Storing merchant settings and configurations
- Storing influencer profiles and performance data
- Managing authentication sessions
- Storing uploaded brand assets and influencer content (images, videos)
Data Categories:
- Merchant: Account settings, API keys (encrypted), shop metadata
- Influencer: Full profile data (name, email, address, social handles, commission history)
- Content: Uploaded images, videos, and deliverable submissions
Location: United States (AWS us-east-1 primary region)
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II, ISO 27001
Website: https://supabase.com
Privacy Policy: https://supabase.com/privacy
DPA: https://supabase.com/legal/dpa
Infrastructure Provider: Supabase operates on Amazon Web Services (AWS) infrastructure. AWS sub-processors:
- AWS (Amazon Web Services): SOC 2, ISO 27001, PCI DSS; https://aws.amazon.com/compliance/
5. Upstash, Inc.
Purpose: Caching and rate limiting
Processing Activities:
- Caching frequently accessed data to improve performance
- Rate limiting API requests to prevent abuse
- Storing temporary session tokens
Data Categories:
- IP addresses (hashed where possible)
- Session identifiers
- Cached non-sensitive data (e.g., product catalogs, tier thresholds)
Location: United States, European Union (distributed edge locations)
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II (in progress)
Website: https://upstash.com
Privacy Policy: https://upstash.com/trust/privacy.pdf
DPA: https://upstash.com/trust/dpa.pdf
Data Retention: Cached data automatically expires (typically 1-24 hours). Rate limit logs retained for 7 days.
6. Vercel Inc.
Purpose: Hosting infrastructure and content delivery network (CDN)
Processing Activities:
- Hosting the Sonar Seed web application (merchant dashboard and influencer portal)
- Serving static assets and API endpoints
- Processing HTTP requests and responses
- Logging access and error logs
Data Categories:
- Request logs: IP addresses, user agents, URLs accessed
- Error logs: Stack traces (may contain user IDs, but no PII)
- Performance metrics: Page load times, API response times
Location: United States, European Union, Asia-Pacific (distributed edge network)
Data Transfer Mechanism: Standard Contractual Clauses (SCCs)
Security Certifications: SOC 2 Type II, ISO 27001
Website: https://vercel.com
Privacy Policy: https://vercel.com/legal/privacy-policy
DPA: https://vercel.com/legal/dpa
Infrastructure Provider: Vercel operates on Amazon Web Services (AWS) and Google Cloud Platform (GCP) infrastructure.
Data Retention: Access logs retained for 30 days; error logs retained for 90 days.
Sub-Sub-Processors
Some of the sub-processors listed above use their own infrastructure providers (sub-sub-processors). These are listed for transparency:
Amazon Web Services (AWS)
- Used by: Supabase, Vercel (primary infrastructure provider)
- Purpose: Cloud computing infrastructure (compute, storage, databases)
- Location: Global (multi-region)
- Security Certifications: SOC 1/2/3, ISO 27001, PCI DSS Level 1
- Website: https://aws.amazon.com
- Compliance: https://aws.amazon.com/compliance/
Google Cloud Platform (GCP)
- Used by: Vercel (infrastructure provider)
- Purpose: Cloud computing infrastructure
- Location: Global (multi-region)
- Security Certifications: SOC 1/2/3, ISO 27001, PCI DSS Level 1
- Website: https://cloud.google.com
- Compliance: https://cloud.google.com/security/compliance
Removed Sub-Processors
The following sub-processors were previously authorized but are no longer engaged:
How to Object to a Sub-Processor
If you object to the engagement of a new sub-processor on reasonable data protection grounds, you may:
- Submit an objection by emailing legal@sonarseed.com within 14 days of receiving notice of the change.
- State your grounds for objection (e.g., concerns about security practices, jurisdictional risks, lack of adequate safeguards).
- Work with us to identify alternative solutions, which may include:
- Disabling the feature that relies on the sub-processor
- Implementing additional safeguards
- Providing alternative processing arrangements
If no mutually acceptable solution can be reached, you may terminate your use of the App without penalty by uninstalling it from your Shopify store.
Contact Information
For questions about our sub-processors or to exercise your right to object, please contact:
Sonar Seed
Data Protection Officer
Email: legal@sonarseed.com
Privacy: privacy@sonarseed.com
Support: support@sonarseed.com
Version History:
This document is reviewed and updated quarterly or whenever a material change occurs.