Reservly Sub-Processor List
Last updated: April 26, 2026
What is a sub-processor?
A sub-processor is a third-party service that Reservly uses to operate the platform. Where those services store, transmit, or otherwise process personal data on Reservly's behalf, the GDPR and similar laws classify them as sub-processors. The businesses that use Reservly are controllers of their customers' personal data; Reservly is a processor acting on each business's behalf; the services listed below are sub-processors engaged by Reservly.
This page lists every sub-processor we currently use, plus services we expect to activate in the near term. We keep the list current because the businesses we serve often need it to satisfy their own compliance programs.
Current sub-processors
Core platform infrastructure
| Sub-processor | Purpose | Data categories processed | Region | Provider privacy page |
|---|---|---|---|---|
| Supabase (Supabase, Inc.) | Primary application database (Postgres), authentication, and object storage | Account data, booking data, usage logs, customer-provided booking form fields, encrypted OAuth tokens (Supabase Vault) | United States — us-east-2 (Ohio) | supabase.com/privacy |
| Vercel (Vercel, Inc.) | Application hosting — serverless functions, edge network, static asset delivery | Server-side request and rendering data, access logs | United States — iad1 (Northern Virginia) | vercel.com/legal/privacy-policy |
| Cloudflare R2 (Cloudflare, Inc.) | Object storage for business-uploaded images, served through our custom domain images.reservly.io | Uploaded images (logos, gallery photos, floor plans), image metadata | Global edge network | cloudflare.com/privacypolicy |
| Upstash (Upstash, Inc.) | Rate-limiting state (token buckets) and short-term counters | API keys (hashed), per-key request counters, IP-address-derived counters | United States (configurable) | upstash.com/trust/privacy.pdf |
‡ For UK personal data transferred to US-based sub-processors (Supabase, Vercel, Cloudflare, Upstash): the applicable transfer mechanism is the ICO-approved IDTA or UK Addendum to EU SCCs. Where a US-based sub-processor is certified under the UK-US Data Bridge, Reservly may rely on that certification in lieu of the IDTA for that specific transfer. Certification status will be verified per vendor before UK customer onboarding.
Communication and monitoring
| Sub-processor | Purpose | Data categories processed | Region | Provider privacy page |
|---|---|---|---|---|
| Resend (Resend, Inc.) | Outbound transactional email (booking confirmations, reminders, account email) | Recipient email address, email subject and body, delivery events | United States | resend.com/legal/privacy-policy |
| Sentry (Functional Software, Inc. / Sentry) | Application error and performance monitoring | Error stack traces, request metadata, breadcrumbs (PII scrubbed before ingest) | European Union — ingest.de.sentry.io (Frankfurt) | sentry.io/privacy |
Billing (Reservly's own subscriptions)
| Sub-processor | Purpose | Data categories processed | Region | Provider privacy page |
|---|---|---|---|---|
| Paddle (Paddle.com Market Ltd.) | Merchant of record for Reservly subscriptions — collects payment, handles global sales tax (VAT/GST), issues invoices and receipts, processes subscription cancellations and refunds. Note: Paddle is incorporated in the United Kingdom; no international transfer mechanism is required for UK personal data transferred to Paddle. | Business billing contact, payment method (handled by Paddle; Reservly does not see card numbers), transaction amounts, tax determinations | Global, with EU primary (Paddle is UK-incorporated) | paddle.com/legal/privacy |
Customer-to-business payments (payment facilitator)
Reservly is a payment facilitator, not a payment processor. When a business using Reservly accepts payments from its customers through Stripe or PayPal, those providers process payment data on the business's instruction — not Reservly's instruction. This means Stripe and PayPal are not Reservly's sub-processors in this flow; they are independent data processors engaged directly by the business through the business's own Stripe Connect Standard or PayPal Commerce Platform account. The business, as the merchant of record, has its own contractual relationship with Stripe and PayPal and is responsible for those providers' data-processing practices in the customer-facing payment flow.
Reservly lists these providers here for transparency, because the OAuth connect flow passes through Reservly's infrastructure and Reservly stores minimal payment-adjacent reference data (transaction IDs and last four digits of payment methods, as described in the Privacy Policy). The customer personal data processed during payment itself — card details, billing address, bank account information — is governed solely by the business's agreements with Stripe and PayPal, not by Reservly's DPA.
The following table describes this relationship for transparency. These providers are not Reservly's sub-processors; they are listed because Reservly stores OAuth tokens that link a business's account to these providers.
| Sub-processor | Purpose | Data categories processed | Region | Provider privacy page |
|---|---|---|---|---|
| Stripe (Stripe, Inc.) | Customer-to-business payment processing via business's own Stripe Connect Standard account — Stripe processes on the business's instruction, not Reservly's | OAuth tokens linking a business to its Stripe account (encrypted at rest in Supabase Vault); payment intent reference IDs; last-4 of payment method (for display only). Card details and billing data are processed solely by Stripe under the business's agreement with Stripe. | Global | stripe.com/privacy |
| PayPal Commerce Platform (PayPal, Inc.) | Customer-to-business payment processing via business's own PayPal Commerce Platform merchant account — PayPal processes on the business's instruction, not Reservly's | OAuth tokens linking a business to its PayPal account (encrypted at rest in Supabase Vault); order reference identifiers; payer reference (for display only). Payment data is processed solely by PayPal under the business's agreement with PayPal. | Global | paypal.com/us/legalhub/privacy-full |
Integrations activated at the business's option
These sub-processors are only engaged when a business explicitly connects them from the Reservly dashboard. If a business never connects them, no data flows to them.
| Sub-processor | Purpose | Data categories processed | Data flow | Region | Provider privacy page |
|---|---|---|---|---|---|
| Google (Google LLC) | Calendar sync: Google Calendar availability sync and booking-event injection. Meeting creation: Google Meet link generation for virtual bookings. Backup: Google Drive backup export target (optional). | Calendar: Booking events written to Google Calendar (service/event name, customer name, customer email, booking time, virtual meeting link). Existing event start/end times read in real time to compute availability — NOT stored in Reservly's database. Backup: Business data exports (booking records, customer contact data as present in bookings, business configuration) written to Google Drive via drive.file scope. OAuth tokens encrypted at rest (Supabase Vault). | Calendar: Bidirectional — Reservly reads existing event metadata from Google Calendar (real-time, not stored); Reservly writes booking events to Google Calendar on confirmation/reschedule/cancel. Backup: Write-only — Reservly writes backup files; does not read existing Drive content. Meetings: Write-only — Reservly creates Meet links; does not read meeting records. | Global (Google infrastructure, EU and US datacentres) | policies.google.com/privacy |
| Microsoft (Microsoft Corporation) | Calendar sync: Microsoft/Outlook Calendar availability sync and booking-event injection. Meeting creation: Microsoft Teams link generation. Backup: OneDrive backup export target (optional). | Calendar: Booking events written to Microsoft Calendar (service/event name, customer name, customer email, booking time, Teams meeting link). Existing event start/end times read in real time — NOT stored in Reservly's database. Backup: Business data exports (booking records, customer contact data, business configuration) written to OneDrive via Files.ReadWrite.AppFolder permission. OAuth tokens encrypted at rest (Supabase Vault). | Calendar: Bidirectional — Reservly reads existing event metadata (real-time, not stored); writes booking events on confirmation/reschedule/cancel. Backup: Write-only. Meetings: Write-only. | Global (Microsoft infrastructure, EU and US datacentres) | privacy.microsoft.com |
| Zoom (Zoom Video Communications, Inc.) | Virtual meeting creation for bookings configured as virtual or hybrid | Written to Zoom: Meeting topic (derived from service name), start time, duration. Customer contact details are not sent to Zoom at meeting-creation time. OAuth tokens encrypted at rest (Supabase Vault). | Write-only — Reservly creates meetings in Zoom; does not read Zoom meeting records | Global | zoom.us/privacy |
| Dropbox (Dropbox, Inc.) | Optional backup target for business data exports | Written to Dropbox: Structured backup files (JSON/CSV) containing booking records, customer contact data (name, email, phone as present in bookings), and business configuration. OAuth tokens encrypted at rest (Supabase Vault). Reservly does not read existing Dropbox content. | Write-only — Reservly writes backup files to a dedicated /Apps/Reservly/ app folder; does not read from Dropbox | Global | dropbox.com/privacy |
† For UK personal data transferred to non-UK sub-processors, the applicable transfer mechanism is the ICO-approved International Data Transfer Addendum (IDTA) or UK Addendum to EU SCCs. Google LLC and Microsoft Corporation participate in the EU–US Data Privacy Framework (DPF) and its UK Extension; where their certifications are valid, Reservly may rely on the UK-US Data Bridge in lieu of the IDTA for those specific transfers.
Planned sub-processors
These services are contracted or under evaluation and will appear in the "Current" tables above on the date they begin processing live data. We will announce each activation through the notice process described below at least 30 days in advance.
| Sub-processor | Purpose | Planned activation | Region |
|---|---|---|---|
| Mistral AI (Mistral AI SARL) | AI-powered translation of business-authored content (service names, descriptions, policies) via the R4.2 translation feature. Data processed in the EU; no third-country transfer; paid API excludes data from model training; 30-day data retention limit. DPA available at legal.mistral.ai. | On R4.2 translation feature launch | France / European Union — eu-central-1 (Frankfurt) |
| Telnyx (Telnyx LLC) | SMS delivery for bookings in North America (USA, Canada, Mexico) | On SMS feature launch | United States |
| Infobip (Infobip Ltd.) | SMS delivery for bookings in the European Union, United Kingdom, and adjacent markets | On SMS feature launch | European Union |
| Twilio (Twilio Inc.) | SMS delivery via business-connected "bring your own" Twilio accounts (the business supplies the credentials; Reservly routes SMS through their account) | On BYO SMS feature launch | Global |
How we manage sub-processor changes
We maintain a Data Processing Agreement or equivalent contract with every sub-processor that processes personal data on our behalf, and we rely on Standard Contractual Clauses or an equivalent transfer mechanism for international transfers where required.
We review each sub-processor's data-processing practices, DPA status, and region at least annually. The Last updated date at the top of this page reflects the most recent review cycle. Individual sub-processor rows do not show per-row review dates; all rows were verified as of the most recent Last updated date unless otherwise noted.
When we propose to add a new sub-processor or materially change an existing one, we will post the change on this page and send notice to the primary contact email on every active subscription at least 30 days before the change takes effect, unless a shorter period is required by law or by a security-critical incident. During that window, a business may object to the change by emailing support@reservly.io. If we cannot accommodate the objection, the business may terminate its subscription and receive a pro-rated refund of any prepaid fees for the remaining service period.
Subscribe to change notifications
Businesses with active subscriptions receive sub-processor change notices automatically at the primary contact email.
Other parties (prospective customers, auditors, procurement teams) may subscribe to change notifications by emailing support@reservly.io with the subject line "Sub-processor list subscribe" and we will add the address to the notice list. You may unsubscribe at any time with the subject line "Sub-processor list unsubscribe."
We plan to add an RSS feed for this page in a future update; when available, it will be linked here.
Changelog
This section records every material change to the list above, in reverse chronological order.
| Date | Change |
|---|---|
| 2026-04-26 | Reclassified Stripe and PayPal from "sub-processors" to "independent processors engaged by the business" in the customer-to-business payment section. Expanded Google and Microsoft integration rows with explicit data-flow direction (bidirectional calendar, write-only backup/meetings). Added UK Addendum/IDTA and UK-US Data Bridge footnote for UK transfers. Added last-reviewed disclosure to sub-processor management section. Added Mistral AI SARL to planned sub-processors (R4.2 AI translation feature). Confirmed DeepSeek is not and will not be integrated — excluded from this list per A6 compliance review (GDPR unlawful transfer risk, active Italian/German DPA actions). |
| 2026-04-26 | Open item — RA-47: Upstash DPA acceptance pending Steve's verification. Upstash processes IP-address-derived rate-limiting counters, which constitute personal data under GDPR Recital 30. Steve must log in at upstash.com/trust and confirm the Data Processing Agreement has been signed or accepted for the Reservly account. This entry will be updated once confirmed — see RA-47. |
| 2026-04-16 | Initial publication. |
Contact
Questions about any sub-processor, a specific transfer, or our sub-processor program generally: support@reservly.io.
Formal data-protection inquiries (data subject requests, regulator correspondence): support@reservly.io with subject line "Privacy Officer" — routed to Reservly's designated Privacy Officer role.