Tracent TechnologiesSub-processors
The third parties that process personal data on behalf of Tracent Technologies. Each has a signed Data Processing Addendum on file (or is marked Pending where one is in negotiation) and is listed in our NDPC audit evidence inventory.
Updated when the list changes. We notify customers in writing of any addition or replacement at least 30 days before a new sub-processor begins processing their data.
Infrastructure
Supabase
Postgres database, authentication, row-level security, realtime broadcast, file storage. The customer-facing console and the gateway audit log both persist here.
- Location:
- EU (Frankfurt)
- NDPA role:
- Processor
- Data categories:
- auth credentials, audit logs (PII redacted), user email
- DPA:
- Yes
Personal data leaves Nigeria; logged in ndpa_cross_border_transfers with Standard Contractual Clauses as the safeguard.
Vercel
Hosting for the Next.js marketing site and customer console. Server-rendered pages, API routes, and the edge OG-image renderer run here.
- Location:
- Global edge (US-primary)
- NDPA role:
- Processor
- Data categories:
- user email, audit logs (PII redacted)
- DPA:
- Yes
Personal data leaves Nigeria; SCC in place. Edge functions execute close to the requester.
Hetzner Cloud
Self-hosted Whisper transcription server for internal call recordings. Operational only; does not process customer-facing data.
- Location:
- Germany (FSN1, Falkenstein)
- NDPA role:
- Processor
- Data categories:
- transcription audio (internal only)
- DPA:
- Yes
Internal-only; migrating to Cassava Cloud Nigeria in Phase 2 to bring the workload in-region.
Brevo
Transactional email delivery: authentication emails (via the Supabase Send-Email Hook), welcome emails, breach alerts, contact-form replies.
- Location:
- France (Paris)
- NDPA role:
- Processor
- Data categories:
- user email
- DPA:
- Yes
Personal data leaves Nigeria; SCC in place. SMTP fallback configured but the HTTP API hook is the active path.
Observability
Sentry
Application error monitoring with custom beforeSend PII scrubbing per lib/ndpa/sentry-scrub.ts. PII patterns are stripped from error events before transmission.
- Location:
- EU (Frankfurt)
- NDPA role:
- Processor
- Data categories:
- error metadata (PII scrubbed)
- DPA:
- Yes
beforeSend hook strips request bodies that mention any PII field. Last line of defence; the gateway redactor is the actual line of defence.
Analytics
PostHog
Anonymous product analytics. Configured with person_profiles: 'identified_only' so anonymous traffic does not create profiles.
- Location:
- EU (Frankfurt)
- NDPA role:
- Processor
- Data categories:
- anonymous product events
- DPA:
- Yes
EU-hosted instance selected for NDPA alignment. No personal data sent by configuration; identification only after explicit opt-in.
AI Provider
Anthropic
Customer-driven model inference via MCP. Reached only by customers' AI clients (Claude); Tracent does not initiate Anthropic calls server-side.
- Location:
- United States
- NDPA role:
- Sub-processor
- Data categories:
- model API payloads (PII redacted)
- DPA:
- Pending
Customer is the data Controller for model calls; Tracent is the Processor; Anthropic is the Sub-processor. Tracent's gateway redacts PII before payloads reach the model.
How to request our DPA
Customer legal teams routinely ask for our Data Processing Addendum during a security review. Email compliance@tracenttechnologies.com and we will send the current version (NDPA-aligned, with Standard Contractual Clauses for any sub-processor outside Nigeria) within one business day.