RepRoom

RepRoom Subprocessor List

Last updated: 4/29/2026

A "subprocessor" is a third-party service that processes personal information on behalf of RepRoom in order to deliver the Service. We use a small, vetted set of subprocessors and we maintain this list publicly. We will provide institutional customers at least 30 days' notice before adding a new subprocessor that processes their data, when contractually required.

For questions about this list or to request a Data Processing Agreement (DPA), contact privacy@reproom.dev.

Active subprocessors

Supabase, Inc.

  • Purpose: PostgreSQL database hosting; the primary store for all application data
  • Data accessed: All application data — user accounts and profiles, team and institution content, messages, attendance records, billing identifiers, audit logs
  • Hosting region: AWS us-east-1 (N. Virginia, United States)
  • DPA: Available
  • Certifications: SOC 2 Type 2, HIPAA-eligible (paid plans)
  • Sub-subprocessor note: Supabase runs on Amazon Web Services (AWS). AWS is bound by Supabase's customer agreements and certifications.

Vercel, Inc.

  • Purpose: Application hosting; runs Next.js server functions, edge routing, and static asset delivery for RepRoom
  • Data accessed: All HTTP traffic to and from RepRoom, including any data submitted to or returned from the application
  • Hosting region: iad1 (Washington, D.C., United States — AWS us-east-1)
  • DPA: Available
  • Certifications: SOC 2 Type 2, ISO 27001
  • Sub-subprocessor note: Vercel runs on Amazon Web Services (AWS). AWS is bound by Vercel's customer agreements and certifications.

Upstash, Inc.

  • Purpose: Redis-based rate limiting and abuse prevention; protects RepRoom's authentication, signup, and messaging endpoints from automated abuse
  • Data accessed: Short-lived rate-limit counters keyed by IP address, email address, or user identifier. Counters expire automatically and are not used for any other purpose.
  • Hosting region: AWS us-east-1 (N. Virginia, United States)
  • DPA: Available
  • Certifications: SOC 2 Type 2

Resend (Resend, Inc.)

  • Purpose: Transactional email delivery — account confirmations, billing notifications, invitations to join an institution or team, password resets, and security alerts
  • Data accessed: Recipient email address, recipient name, message subject and body
  • Hosting region: United States
  • DPA: Available
  • Certifications: SOC 2 Type 2

Stripe, Inc.

  • Purpose: Payment processing and subscription billing
  • Data accessed: Billing contact information, payment method details (handled directly by Stripe; RepRoom does not store full payment card numbers), customer and subscription identifiers
  • Hosting region: United States, with global processing for payments
  • DPA: Available
  • Certifications: PCI DSS Level 1, SOC 1, SOC 2 Type 2, HIPAA-compliant offerings available

Infrastructure providers (sub-subprocessors)

Several of our subprocessors rely on cloud infrastructure providers — most notably Amazon Web Services (AWS) for Supabase, Vercel, and Upstash. AWS is bound by its customers' agreements and certifications, including SOC 1, SOC 2, ISO 27001, and others. AWS does not have direct access to RepRoom data; access is mediated through our subprocessors.

Internal RepRoom access

Access to production data within RepRoom itself is limited to authorized RepRoom personnel who require it to operate or support the Service. Access requires authentication and is logged where applicable. See our Security Overview at reproom.dev/security for more detail.

Notification of changes

When we add or change a subprocessor that processes the data of an institutional customer, and the customer's agreement requires advance notice, we will provide notice (typically by email to the institution's designated contact) at least 30 days before the change takes effect, unless a shorter timeline is required for security or legal reasons.

To be added to a notification list for subprocessor changes, contact privacy@reproom.dev.

Removed subprocessors

We do not currently use, and do not list, subprocessors that are not actively processing RepRoom user data. If a subprocessor is added or removed, this page will be updated.

Data residency summary

All RepRoom subprocessors that store or process customer data at rest do so in the United States. Stripe processes payments globally as part of card-network operations, but billing identifiers and customer records relevant to RepRoom are stored in the United States.

RepRoom does not currently offer non-US data residency. Customers requiring non-US data residency should contact us before signing a contract.

Contact

To request a copy of a Data Processing Agreement, ask about a specific subprocessor, or be added to the subprocessor change notification list, contact privacy@reproom.dev.