Subprocessors
Last updated: July 12, 2026
To run Phloz (the "Service") we rely on a small set of third-party providers ("subprocessors"). Each is bound by a contract that requires it to protect data and to process it only on our instructions, consistent with our Data Processing Addendum and Privacy Policy. This page is the current, authoritative list.
Platform subprocessors
These providers process Customer Data — the content you and your team put into your workspace — to deliver the Service. For this data, your organisation is the controller and Phloz is your processor.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, and file storage | United States |
| Vercel | Application hosting and content delivery | United States |
| Cloudflare | DNS, CDN, and network security | United States / global edge |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Outbound (transactional) and inbound email delivery | United States |
| Inngest | Background job and scheduled-task orchestration | United States |
| Upstash | Rate limiting and abuse prevention | United States |
Analytics & operations subprocessors
These providers process data about site visitors and account holders (such as usage, device, and error data) for which Phloz is the controller. They do not receive your workspace's Customer Data as part of their normal function, and non-essential analytics load only where permitted by your cookie choice.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Google (Analytics 4 & Tag Manager) | Website and product analytics | United States |
| PostHog | Product analytics and usage insights | United States |
| Sentry | Error and performance monitoring | United States |
International transfers
Data is stored and processed primarily in the United States. Where a transfer is subject to the EU/UK GDPR or Swiss law, it relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum), as described in our Data Processing Addendum.
Changes and how to get notified
We keep this page current. Before a new subprocessor begins processing Customer Data, we will update this list and notify workspace owners by email at least 30 days in advance where practical. If you have a signed or incorporated DPA with us, you may object to a new platform subprocessor on reasonable data-protection grounds as described in the DPA. To receive subprocessor-change notices, make sure your workspace owner email is current, or email privacy@phloz.com to subscribe.
Contact
Questions about our subprocessors? Email privacy@phloz.com — Phloz, Vancouver, BC, Canada.