Draft - Pending Legal Review
Subprocessor List
1. Overview
Asterium LLC, doing business as NannyLedger ("NannyLedger," "we," "us," or "our"), engages third-party service providers ("subprocessors") to assist in delivering the NannyLedger service. Each subprocessor processes personal data only as necessary for its stated purpose and is bound by contractual obligations to protect the confidentiality and security of that data. This page lists all current subprocessors, the data they process, and their relevant certifications.
2. Current Subprocessors
The following subprocessors are currently engaged by NannyLedger as of the date shown above.
Stripe (Payment Processing, Fund Routing & Bank Verification)
Purpose: Subscription billing, ACH Direct Debit collection for payroll funding, fund routing to employee bank accounts via Stripe Connect, bank account verification via Financial Connections, and payment fraud prevention. Data processed: Cardholder/account holder name, card number (tokenized), bank account details (tokenized), billing address, email address, payment history, ACH transaction history, connected account identity data (handled by Stripe). Location: United States. Certifications: PCI DSS Level 1, SOC 2 Type II. Privacy policy: https://stripe.com/privacy
Supabase (Authentication & Database)
Purpose: User authentication, session management, and PostgreSQL database hosting. Data processed: Email addresses, hashed passwords, session tokens, and all application data stored in the database (encrypted at rest). Location: United States (AWS us-west-2). Certifications: SOC 2 Type II, HIPAA eligible. Privacy policy: https://supabase.com/privacy
Vercel (Application Hosting)
Purpose: Web application hosting, CDN delivery, serverless function execution, and edge middleware. Data processed: IP addresses, request metadata, application logs (no PII in logs by design). Location: United States (primary), global edge network. Certifications: SOC 2 Type II. Privacy policy: https://vercel.com/legal/privacy-policy
Anthropic (AI Services)
Purpose: AI-powered Tax Assistant for general tax guidance. Data processed: User questions about tax topics (no PII, SSNs, or financial data is sent to Anthropic). Location: United States. Certifications: SOC 2 Type II. Privacy policy: https://www.anthropic.com/privacy. Note: Anthropic does not use API inputs or outputs for model training.
Upstash (Rate Limiting)
Purpose: Redis-based rate limiting to prevent API abuse. Data processed: Hashed user identifiers (user ID or IP address), request counts, and timestamps. No PII is stored. Location: United States (AWS). Certifications: SOC 2 Type II. Privacy policy: https://upstash.com/trust/privacy.html
Resend (Transactional Email)
Purpose: Sending transactional emails (contact form submissions, support notifications). Data processed: Recipient email address, email subject, and email body content. Location: United States. Certifications: SOC 2 Type II. Privacy policy: https://resend.com/legal/privacy-policy
3. Changes to Subprocessors
We will provide at least 30 days' advance notice before adding a new subprocessor or making a material change to an existing subprocessor's scope of data processing. Notice will be provided via email to account holders and by updating this page. If you object to a new subprocessor, you may contact us within the 30-day notice period to discuss your concerns. If we cannot address your concerns, you may terminate your subscription and receive a prorated refund for the remainder of your billing period.
4. Contact Us
If you have questions about our subprocessors or their data handling practices, contact us at privacy@nannyledger.com, by mail at Asterium LLC, Katy, TX 77450, or through our Contact Support page.
Related Policies
- Privacy Policy - How we collect, use, and protect your personal information.
- Information Security Policy - Our security practices and data protection measures.
- Data Breach Notification Policy - How we handle and communicate data breach incidents.