Overview
A “sub-processor” is a third-party data processor engaged by us who has, or could have, access to customer personal data. We use sub-processors to deliver, operate, and improve the Service.
Every sub-processor below is bound by a written data-processing agreement that requires equivalent protections to those we offer our customers, including confidentiality, security measures, and breach-notification obligations.
Active Sub-processors
The following vendors are authorised sub-processors as of the date above:
| Vendor | Purpose | Data | Location | Compliance |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, invoicing, fraud prevention | Name, email, billing country, card token, transaction history | United States (global) | PCI DSS Level 1, SOC 1, SOC 2 Type II |
| Vercel, Inc. | Application hosting, edge network, build pipeline | Account data, request logs, IP addresses (truncated) | United States (global edge) | SOC 2 Type II, ISO 27001 |
| Replicate, Inc. | AI model inference (background removal, upscale, relight) | Uploaded images (deleted within 24h), inference logs | United States | SOC 2 Type II |
| Cloudflare, Inc. | DDoS protection, DNS, CDN | IP addresses, request headers | United States (global) | SOC 2 Type II, ISO 27001, PCI DSS |
| Upstash, Inc. | Managed Redis (session and rate-limit state) | Session tokens, rate-limit counters | United States (multi-region) | SOC 2 Type II |
| Resend, Inc. | Transactional email delivery (receipts, password reset) | Email address, message content | United States | SOC 2 Type II |
Click a vendor name to view their privacy policy.
Selection Criteria
Before engaging a sub-processor we evaluate:
- Security posture, certifications, and audit history (SOC 2, ISO 27001, etc.).
- Contractual data-protection commitments (DPA, SCCs where applicable).
- Data-residency options and sub-processor chain.
- Operational maturity (incident response, status page, support).
- Necessity — the smallest set of vendors needed to deliver the Service.
Changes to This List
When we add a new sub-processor, we will update this page and revise the “Last updated” date above. Customers on annual or enterprise contracts may also be notified by email. We recommend bookmarking this page or subscribing to changes via support@Hooky.com.
Right to Object
If you have a reasonable objection to a new sub-processor on data-protection grounds, contact us at support@Hooky.com within 30 days of the change. We will work with you in good faith to resolve the objection, including by offering a substitute service where reasonably possible. If we cannot, you may terminate the affected services and receive a pro-rata refund of unused credits.
See also our Data Processing Agreement, Privacy Policy, and Security pages.