Subprocessors and Key Recipients
Note: The German version of this document is the legally binding version. This English text is provided for convenience only.
Last updated: July 5, 2026
This list describes the key service providers, subprocessors, and recipients that may be used for Ride Assignment. Not every listed provider acts as a subprocessor in every role. The actual processing depends on which features a customer organization uses and which environment is configured.
1. Supabase
Provider: Supabase, Inc. and affiliated Supabase entities.
Role: subprocessor for authentication, session handling, managed Postgres database services, storage, and platform functionality.
Purpose: account and workspace operation, login, sessions, database, access control, and technical platform provision.
Data categories: account, session, organization, workspace, driver, passenger, event, route, import, export, audit, and security data.
Location and processing: depends on the Supabase project configuration; third-country transfers may occur in particular for support, platform operation, or group-company access.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
2. Vercel
Provider: Vercel Inc. and affiliated Vercel entities.
Role: hosting, deployment, edge, logging, and infrastructure provider.
Purpose: provision of the website, web application, API routes, deployments, infrastructure logs, and security functionality.
Data categories: technical request data, IP-related request information, logs, error data, and application data where processed by server functions.
Location and processing: United States and other infrastructure locations according to the active Vercel configuration.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
3. Stripe
Provider: Stripe Payments Europe, Limited, Stripe, Inc., and affiliated Stripe entities.
Role: payment provider; independent controller or processor/subprocessor depending on the processing activity.
Purpose: checkout, subscription billing, invoices, billing portal, payment processing, webhooks, and billing synchronization.
Data categories: account and billing data, Stripe customer references, checkout and subscription metadata, invoice data, payment status, and billing-related support data. Payment card data is processed directly by Stripe.
Location and processing: Ireland, United States, and other Stripe processing locations.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
4. Mapbox
Provider: Mapbox, Inc. and affiliated Mapbox entities.
Role: provider for maps, routing, geocoding, matrix calculations, optimization, and static map images.
Purpose: interactive map display, server-side route calculation, reachability checks, route optimization, route metrics, and map images in exports.
Data categories: IP-related request data, addresses, coordinates, route points, travel routes, routing parameters, and technical request metadata.
Location and processing: United States and other Mapbox processing locations.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
5. PostHog
Provider: PostHog, Inc. and affiliated PostHog entities.
Role: analytics and error-tracking provider — browser analytics and client-side error tracking after consent, and server-side product and security analytics on a legitimate-interest basis.
Purpose: web, product, and technical error analytics in the browser after consent to the analytics category, and server-side product, security, and usage analytics events processed on a legitimate-interest basis.
Data categories: pseudonymous browser and usage identifiers, page and feature usage data, technical browser data, session metadata, and minimized error context; for server-side analytics, account and subscription lifecycle and usage events, the associated account identifier, and the account holder's own email address. The service is designed to minimize personal workspace content — such as the names, email addresses, phone numbers, addresses, coordinates, notes, CSV content, or route content of drivers, passengers, and other participants — sent to PostHog; limited workspace content may nonetheless be included incidentally in server-side error diagnostics, which PostHog processes as our processor under a data processing agreement.
Location and processing: depends on the configured PostHog Cloud region or active PostHog host.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
6. Amazon Web Services and Amazon SES
Provider: Amazon Web Services EMEA SARL, Amazon Web Services, Inc., and affiliated AWS entities.
Role: email and infrastructure provider where Amazon SES or AWS infrastructure is enabled.
Purpose: sending transactional emails, newsletter confirmation emails, unsubscribe messages, and processing delivery status.
Data categories: recipient addresses, sender addresses, subject lines, email content, locale values, send timestamps, delivery status, and technical delivery metadata.
Location and processing: Amazon SES is currently intended to use the eu-north-1 region; support and group-company access may involve third-country processing.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
7. Photon Geocoding Provider
Provider: the configured Photon endpoint; unless configured otherwise, this may be the public Photon service operated by Komoot.
Role: geocoding and address search provider.
Purpose: address search, autocomplete, address normalization, and geocoding.
Data categories: search queries, addresses, place names, coordinates, language settings, and technical request metadata.
Location and processing: depends on the configured Photon endpoint.
Transfer mechanism: depends on the configured provider and processing location; third-country transfers require an appropriate transfer instrument.
8. Route Solver and Valhalla Infrastructure
Provider: the Route Solver and Valhalla infrastructure configured by Pablo Thiermann.
Role: routing and optimization infrastructure.
Purpose: calculation of travel times, distances, routes, and optimized assignments without Mapbox optimization where this product feature is used.
Data categories: coordinates, routing parameters, driver and passenger IDs, capacities, time windows, assignment parameters, and technical request metadata. Personal names and contact details should not be required for this calculation.
Location and processing: depends on the active infrastructure configuration.
Transfer mechanism: depends on hosting location and provider; third-country transfers require an appropriate transfer instrument.
9. Google Services
Provider: Google Ireland Limited, Google LLC, and affiliated Google entities.
Role: optional login provider and recipient for user-initiated Google Maps route links; independent controller or service provider depending on the processing activity.
Purpose: optional Google sign-in through Supabase Auth and opening Google Maps route links by users.
Data categories: authentication data for Google sign-in; route, address, and location data contained in or transmitted through Google Maps links.
Location and processing: Ireland, United States, and other Google processing locations.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
10. Cloudflare
Provider: Cloudflare, Inc. and affiliated Cloudflare entities.
Role: security, access, or infrastructure provider where Cloudflare Access or Cloudflare-protected infrastructure is enabled.
Purpose: access protection, service-to-service authentication, security filtering, and infrastructure protection.
Data categories: technical request data, IP-related request information, Access headers, security events, and log data.
Location and processing: United States and other Cloudflare processing locations.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.
11. Kasada / Vercel BotID
Provider: Kasada Pty Ltd and affiliated Kasada entities, used through Vercel BotID where BotID or Deep Analysis is enabled.
Role: bot-protection and abuse-prevention provider; subprocessor or security service provider depending on the processing activity and active BotID configuration.
Purpose: BotID challenge, verification, and bot-detection processing for protected routes, including prevention of automated abuse against high-value endpoints such as the demo optimization API.
Data categories: technical request data, IP-related request information, browser and device security signals, challenge or verification outcomes, protected route and HTTP method metadata, and related security diagnostics. Workspace content such as driver, passenger, route, import, export, and note content is not intentionally sent to Kasada for BotID processing.
Location and processing: Australia, United States, and other Kasada or Vercel processing locations according to the active BotID configuration.
Transfer mechanism: adequacy decision, Standard Contractual Clauses, or other appropriate safeguards under Chapter V GDPR where required.