Skip to main content
Invoset

Legal

Sub-processors

The third-party service providers Ravencord OÜ uses to operate Invoset. Each provider has signed a written data processing agreement and is subject to the security and confidentiality terms required under GDPR Article 28.

Effective
May 8, 2026
Last updated
May 8, 2026

Why this list exists

Under Article 28 of the EU and UK General Data Protection Regulation, a processor must publish or otherwise make available the list of sub-processors it engages, so customers can review the chain of providers who may handle personal data on their behalf. We maintain this page as the authoritative public list.

Active sub-processors

Vercel Inc.

Purpose
Frontend hosting and global content delivery for invoset.com and the customer dashboard.
Data accessed
Page request metadata, IP addresses (transient), authentication tokens forwarded to Supabase, basic product analytics.
Hosting region
United States, with edge points of presence globally.
Certifications
SOC 2 Type 2, ISO 27001, GDPR.
DPA
https://vercel.com/legal/dpa
Privacy policy
https://vercel.com/legal/privacy-policy

Supabase Inc.

Purpose
Primary database (Postgres), authentication service, and object storage for generated reports and screenshots.
Data accessed
Account profile (email, name), site domains submitted, scan results, accessibility findings, certificate artifacts, audit-trail PDFs.
Hosting region
European Union (Frankfurt, Germany) for the Invoset project.
Certifications
SOC 2 Type 2, GDPR, HIPAA-eligible.
DPA
https://supabase.com/legal/dpa
Privacy policy
https://supabase.com/privacy

Render Services Inc.

Purpose
Hosting for the Invoset API service and the background scanner worker that runs accessibility tests.
Data accessed
All customer data routed through the API and processed by the worker, including site domains and scan output.
Hosting region
European Union (Frankfurt, Germany) for the Invoset deployment.
Certifications
SOC 2 Type 2, ISO 27001, HIPAA-eligible, GDPR.
DPA
https://render.com/legal/dpa
Privacy policy
https://render.com/legal/privacy

Sendinblue SAS (Brevo)

Purpose
Transactional email delivery for account notifications, scan completion alerts, and compliance digest emails.
Data accessed
Recipient email address, recipient name, scan summary content included in the message body.
Hosting region
European Union (France).
Certifications
ISO 27001, GDPR, French CNIL guidance for transactional senders.
DPA
https://www.brevo.com/legal/termsofuse/dpa/
Privacy policy
https://www.brevo.com/legal/privacypolicy/

Notice of changes

We will update this list before adding any new sub-processor that has access to personal data. Customers on a paid plan will receive at least 30 days' advance notice by email. Customers who object to a new sub-processor for material reasons may terminate their subscription with a pro-rata refund of any prepaid amounts for the unused term, subject to the conditions in our Refund Policy.

Future additions on the roadmap

We expect to engage the following providers as the product grows. They are listed here for transparency even though they are not active yet and do not currently process customer data:

  • LemonSqueezy (payment processor and merchant-of-record), pending onboarding approval.
  • OpenAI (vision model for context-aware scan augmentation), planned for a later release. We will update this page and notify customers before any customer data is sent to OpenAI.

Questions

For data-protection or sub-processor questions, email legal@invoset.com.