Part 17 — Compliance Reference
Sub-processors & Data Transfers
A complete, up-to-date list of every third-party vendor that processes personal data on our behalf — their role, location, and transfer safeguard.
What is a sub-processor?
A sub-processor is any third-party vendor that processes personal data on our behalf under our instruction — as opposed to vendors that process data for their own independent purposes (who act as independent data controllers).
Under GDPR Article 28, we are required to: (a) use only sub-processors that provide sufficient data protection guarantees, (b) bind them by contract to process data only on our documented instructions, and (c) notify you of any new sub-processors or material changes.
Sub-processor table
| Vendor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, EC2/ECS hosting, S3 file storage (profile assets, digital product files) | EU-West-1 (Ireland) · US-East-1 (Virginia) | SCCs + DPA |
| MongoDB Atlas | Primary database (all user account, profile, product, and analytics data) | EU-West-1 (Ireland) · Cluster replication may include US | SCCs + DPA |
| Redis (Upstash / Redis Cloud) | Session caching, rate-limiting counters, real-time analytics queue | EU (Frankfurt or Ireland) | SCCs + DPA |
| Cloudflare | CDN, DDoS protection, DNS, SSL/TLS termination, custom domain proxying, Workers | Global PoP network · Controller: San Francisco, USA | SCCs + DPA + EU–US DPF |
| Stripe | Payment processing, Stripe Connect seller onboarding (KYC), payout settlement, fraud detection | Ireland (EU entity) · US (parent) | Stripe EU DPA + SCCs |
| Google — OAuth | Sign in with Google — OAuth identity provider | USA | SCCs + EU–US DPF |
| Google — Safe Browsing | Real-time URL safety check for all user-submitted links (malware / phishing detection) | USA | SCCs + EU–US DPF |
| Google — Analytics (GA4) | Aggregate website analytics — only active when user consents to analytics cookies | USA | SCCs + EU–US DPF (consent required) |
| Google — Maps Places API | Address autocomplete during Stripe Connect onboarding for sellers | USA | SCCs + EU–US DPF |
| Google — BigQuery | Optional advanced analytics processing (used only when explicitly enabled on an account) | EU (multi-region) or US (if selected) | SCCs + DPA |
| Apple — Sign In with Apple | OAuth sign-in via Apple ID | USA | SCCs |
| Google SMTP (via Nodemailer) | Transactional email delivery — receipts, password resets, security alerts | USA | SCCs + EU–US DPF |
| Mailchimp (Intuit) | Creator email audience sync — only when creator explicitly connects their Mailchimp account | USA | SCCs + DPA (creator-controlled) |
| Meta (Facebook Pixel) | Creator-configured retargeting pixel — only loaded with visitor marketing consent on opted-in profiles | USA / Ireland (Meta Platforms Ireland Ltd.) | SCCs + EU–US DPF (consent required, creator-controlled) |
| TikTok Pixel | Creator-configured retargeting pixel — consent required | USA / Singapore | SCCs (consent required, creator-controlled) |
| Snap (Snapchat Pixel) | Creator-configured retargeting pixel — consent required | USA | SCCs (consent required, creator-controlled) |
| Pinterest Tag | Creator-configured retargeting pixel — consent required | USA | SCCs (consent required, creator-controlled) |
| X Corp. (Twitter Pixel) | Creator-configured retargeting pixel — consent required | USA | SCCs (consent required, creator-controlled) |
SCCs = EU Standard Contractual Clauses · EU–US DPF = EU–US Data Privacy Framework · DPA = Data Processing Agreement
Creator-controlled processors
Some processors in the table above (advertising pixels, Mailchimp) are only activated when a creator explicitly enables them for their profile. In these cases:
- The creator acts as a separate data controller for those processing activities
- LinkStacked acts as a data processor executing the creator's instruction
- Visitor marketing consent is required before any pixel data is collected
- Creators are responsible for disclosing their use of these pixels to their audience
Transfer mechanisms
We safeguard transfers of personal data to third countries (primarily the United States) using:
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 (June 2021 version)
- EU–US Data Privacy Framework (DPF) — where sub-processors are DPF-certified (Stripe, Google/Alphabet, Cloudflare, Amazon)
- UK International Data Transfer Agreements (IDTA) — for transfers to the UK
- Adequacy decisions — for transfers to countries with EU adequacy decisions
A copy of the applicable SCCs is available on request at privacy@linkstacked.com.
Changes & notification
We update this sub-processor list when we add, remove, or materially change a vendor. If you have subscribed to sub-processor change notifications — or if you are an enterprise customer with data processing agreements — we will notify you of changes at least 30 days before a new sub-processor begins processing your data.
To subscribe to sub-processor change notifications, email privacy@linkstacked.com with subject: "Sub-processor change notifications".
This list was last updated on June 6, 2026. The previous version is available on request.
Questions about this policy?
Contact our legal team at legal@linkstacked.com or privacy@linkstacked.com for data matters. We respond within 5 business days.