GDPR Art. 28
Sub-processors
This page lists every vendor ScopePilot engages to process customer personal data, the purpose of that processing, where they host, and the safeguards in place for any transfer outside the EEA. Each provider is bound by a Data Processing Agreement (DPA) and, where applicable, the European Commission's Standard Contractual Clauses.
Last updated: 29 June 2026.
Core sub-processors
Engaged for every ScopePilot customer to deliver the core service.
| Provider | Purpose | Data processed | Hosting region | Transfer mechanism | Legal |
|---|---|---|---|---|---|
| Supabase, Inc. | Primary database, authentication, file storage, realtime | Account data, briefs, proposals, uploads, auth tokens | EU (Ireland, eu-west-1) | Data stays in EU — no international transfer for primary storage | |
| Cloudflare, Inc. | CDN, edge runtime (Workers), DDoS protection, DNS | HTTP request metadata, IP address, response cache | Global edge network | SCCs (EU Commission Module 2) + DPA | |
| Lovable AB | Application hosting platform and deployment | Application bundles, environment configuration | EU / US | SCCs + DPA | |
| Paddle.com Market Limited | Merchant of Record — payments, subscriptions, tax, invoicing | Billing name, email, address, payment method, invoices | UK / EU / US | SCCs + DPA. Paddle acts as independent controller for billing data. | |
| Resend, Inc. | Transactional email delivery (auth, brief-ready, invites) | Recipient email, subject, message body, delivery metadata | EU / US | SCCs + DPA | |
| Google LLC (Gemini API) | AI generation for briefs, proposals, and add-ons | Prompt content derived from project inputs | EU endpoint where available, otherwise US | SCCs + DPA via Google Cloud. Prompts and outputs are NOT used to train Google models. |
Optional sub-processors (customer-initiated integrations)
Engaged only if you connect the corresponding integration from Settings. Data is only sent to these providers for the export actions you trigger.
| Provider | Purpose | Data processed | Hosting region | Transfer mechanism | Legal |
|---|---|---|---|---|---|
| Notion Labs, Inc. | Export briefs/proposals to a customer-connected Notion workspace | OAuth token, page IDs, brief content the customer chooses to export | US | SCCs + DPA | |
| Google LLC (Drive API) | Export briefs/proposals to a customer-connected Google Drive | OAuth token, exported document content | EU / US | SCCs + DPA | |
| HubSpot, Inc. | Push project/brief data to a customer-connected HubSpot CRM | API token, contact/deal payloads the customer chooses to sync | EU / US | SCCs + DPA | |
| monday.com Ltd. | Push project data to a customer-connected monday.com board | API token, board/item payloads | EU / US | SCCs + DPA | |
| Atlassian (Trello) | Push project data to a customer-connected Trello board | API token, board/card payloads | EU / US | SCCs + DPA | |
| ClickUp (Mango Technologies, Inc.) | Push project data to a customer-connected ClickUp workspace | API token, task/list payloads | US | SCCs + DPA |
Analytics & cookies
ScopePilot does not load third-party analytics or tracking scripts until a visitor opts in via the cookie banner. When analytics providers are enabled they will be added to the list above with the same disclosures. See our privacy policy for cookie details.
Change notifications
We notify customers by email at least 30 days before adding or replacing a sub-processor that handles customer personal data. To subscribe to change notices or request our counter-signed DPA, email privacy@scopepilot.ie.
This page is maintained by the ScopePilot team to answer common privacy and processing questions. It is not a regulatory certification — for legal advice, consult your DPO or counsel.