Legal
Sub-processors
Last updated April 22, 2026.
CBSC uses the following third-party service providers (“sub-processors”) to operate the service. Each executes our standard Data Processing Addendum with Standard Contractual Clauses before it is allowed to touch customer data (see Privacy Policy §3).
A machine-readable version of this list is available at /api/legal/sub-processors. Integrations that want to be notified of changes can poll that endpoint.
Current list
| Name | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Managed Postgres, authentication, file storage, realtime, and edge functions. The primary system of record for CBSC. | US (us-east-1) | DPA |
| Vercel | Hosting and edge delivery of the CBSC Next.js application. | Global edge; origin US | DPA |
| Stripe | Subscription billing, checkout, and card processing. Stripe handles PCI scope — CBSC never sees card numbers. | US, with global processing network | DPA |
| Resend | Transactional email delivery (verification, password reset, billing receipts, privacy-request acknowledgements). | US | DPA |
| Sentry | Application error tracking. PII is scrubbed at ingest per spec §9.6; traces retain no family or swimmer identifiers. | US | DPA |
| Axiom | Server log storage with a 90-day retention window (see Retention table). | US | DPA |
| Cloudflare | DNS and CDN for the cbsc domain. No customer personal data is stored at Cloudflare; only request metadata transits. | Global | DPA |
Changes to this list
When we add a new sub-processor, we post it here at least thirty days in advance of giving them access to customer data. Customers who object can cancel their subscription during that window without penalty. Removals are posted when they happen; no advance notice is required.
To be notified directly when this list changes, email privacy@collegeboundswimclub.com and ask to be added to the sub-processor notification list.