Sub-processors
Last updated: May 2026
BuiltSign (Crul.Dev, KVK 97533114) uses the following third-party sub-processors to provide its service. All sub-processors are contractually bound by the same or stricter obligations as our Data Processing Agreement (DPA).
1. What are sub-processors?
A sub-processor is any third party engaged by BuiltSign to process personal data on behalf of our customers. We only engage sub-processors that provide sufficient guarantees of appropriate technical and organisational measures in accordance with GDPR Article 28(2).
2. Current sub-processors
As of May 2026. We announce intended changes at least 30 days in advance.
| Sub-processor | Service | Primary location | Transfer basis |
|---|---|---|---|
| Supabase Inc. | Database & authentication | EU (Frankfurt) | Adequacy (EEA) |
| Amazon Web Services EMEA SARL | Object storage (S3) | EU (Stockholm) | Adequacy (EEA) |
| Render Services Inc. | Backend hosting | EU region | SCC 2021/914 |
| Vercel Inc. | Frontend hosting & edge | EU region / global CDN | SCC 2021/914 |
| Stripe Payments Europe Ltd. | Payments & identity verification (optional) | IE / US (KYC only) | SCC 2021/914 + SIG |
| Twilio Ireland Ltd. | SMS one-time passwords (optional) | EU (Dublin) | Adequacy (EEA) |
| DigiCert Inc. | RFC 3161 trusted timestamps | US (document hash only) | SCC 2021/914 |
| hCaptcha (Intuition Machines Inc.) | Bot protection | EU edge | SCC 2021/914 |
| Resend Inc. | Transactional email | EU region | SCC 2021/914 |
3. Changes to this list
Intended additions or replacements of sub-processors are announced at least 30 days in advance via the mechanism set out in our DPA. Customers with an active DPA may raise a reasoned objection within that period on legitimate privacy grounds.
4. Questions
For questions about our sub-processors or to request a copy of our DPA, contact us at legal@builtsign.com.