Every third party that touches your data.
This page is the authoritative current list of sub-processors we use to run Abundera QR Pro. It is incorporated by reference into our Data Processing Addendum and our Privacy Policy. Last updated April 22, 2026.
We commit to giving account admins at least thirty (30) days' advance notice by email before adding a new sub-processor or materially changing the data a sub-processor accesses. Admins may object in writing during that window; if no reasonable alternative is feasible, the affected service may be terminated for cause with a prorated refund of the unused prepaid period.
1. Current sub-processors
| Sub-processor | Purpose | Data accessed | Region | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. DPA | Compute (Pages Functions, Workers), database (D1), key-value cache (KV), object storage (R2), DNS, CDN, edge TLS, API Shield | All account data (email, plan, Stripe IDs, team metadata), code records (shortcode, destination URL, label, tags), scan records (country + device class only — no IP, no raw UA), encrypted nightly backups. | United States (primary D1/R2). Global edge network for CDN and KV hot cache. | EU SCCs via Cloudflare DPA; UK IDTA; Swiss SCCs addendum. |
| Stripe, Inc. DPA | Payment processing, subscription billing, invoicing, dunning, chargeback handling | Email address, billing address (collected by Stripe Checkout), payment-method details (stored by Stripe, never by us), subscription lifecycle events, payment history, tax jurisdiction. | United States (primary); Ireland for EU customer data localization via Stripe's EU entities. | EU SCCs via Stripe DPA; UK IDTA; PCI-DSS Level 1 certified for cardholder data. |
| Zoho Corporation (ZeptoMail) DPA | Transactional email: welcome, invite, billing-lifecycle, Keep-Alive advance-notice, scan-cap alert, GDPR export delivery | Recipient email address and the rendered email body. No scan data, no code lists, no customer destination URLs. No third-party tracking pixels or redirect shims. | India (Zoho corporate) and United States (ZeptoMail US region). EU region available on request for Agency+ tiers. | EU SCCs via Zoho DPA. Zoho holds ISO 27001 and SOC 2 Type II certifications. |
| Twilio, Inc. DPA | SMS delivery for phone verification (abuse mitigation at signup and for sensitive account actions) | Mobile phone number and the one-time verification code. Numbers are hashed after verification; the raw number is not retained in our database beyond the verification window. | United States (primary). Carrier networks globally for last-mile SMS delivery. | EU SCCs via Twilio DPA; UK IDTA addendum. Twilio holds ISO 27001 and SOC 2 Type II certifications. |
2. What we do not use
For the avoidance of doubt, as of the version date above we do not use any of the following:
- Marketing or product-analytics platforms (no Google Analytics, Meta Pixel, Mixpanel, Amplitude, Segment, Hotjar, or equivalent).
- Customer-data-platform (CDP) vendors.
- Advertising networks or retargeting pixels.
- Customer-support chat tools that see user data.
- Third-party LLMs processing customer data (any production-time AI processing of customer data would require an amendment to this page and advance notice).
- Paid user-session-recording tools (FullStory, LogRocket, Pendo, etc.).
If we ever add a service in any of these categories, this page is updated and admins are notified per the commitment below.
3. Change-notification commitment
- New sub-processor: at least thirty (30) days' advance notice by email to account admins, plus a posting here. Non-admin seats are notified via a banner in the dashboard on their next sign-in.
- Material change to the data a sub-processor accesses: same 30-day advance-notice process.
- Replacement of a sub-processor in the same category (e.g., switching transactional-email providers): at least fifteen (15) days' advance notice. The replacement's contractual data-protection obligations will be at least equivalent to those of the departing provider.
- Immediate security exception: if we must suspend or replace a sub-processor on short notice to address an active security incident, we will notify promptly after the action and explain the rationale. Used sparingly and in good faith.
4. Change log
| Date | Version | Change |
|---|---|---|
| 2026-04-22 | v1.0 | Initial publication. Lists Cloudflare, Stripe, Zoho/ZeptoMail, and Twilio as the four sub-processors for Abundera QR Pro. Establishes the 30-day advance-notice commitment. |
5. Contact
Questions about sub-processors, data-transfer safeguards, or the change-notification process: privacy@abundera.ai (preferred) or enterprise@abundera.ai for DPA packet requests.
Abundera, Inc., 200 W Sahara Ave, Unit 3301, Las Vegas, NV 89102, USA.
See also: Security & data residency · Privacy policy · Data Processing Addendum · Corporate-wide sub-processor list.