Sub-Processor Disclosure
Built to comply with — Transparent sub-processor disclosure
The third-party vendors that process customer personal data on TrueStake's behalf, with honest notes on data-processing agreement status and which vendors handle only public on-chain data.
What a sub-processor is
A sub-processor is a third-party vendor that processes personal data on TrueStake's behalf. The distinction matters: some vendors in our stack receive only public Ethereum on-chain data (no connection to your identity), while others touch data that links to you as a person.
PII sub-processors — vendors that touch personal data
These vendors receive or process personal data about TrueStake customers (data that can be linked to an identifiable person):
| Vendor | Role | Notes |
|---|---|---|
| Supabase | Database, authentication, storage | Holds your email address, encrypted on-chain identifiers, and reward data. |
| Vercel | Web hosting, edge network, serverless functions | Processes session data and API requests. |
| Sentry | Error monitoring | Receives error reports. A PII scrubber strips address-pattern data before upload. |
| Cloudflare | DNS, WAF, Cloudflare Tunnel (node access) | Processes network requests including IP addresses in access logs. |
| Resend | Transactional email (auth magic links, incident notification) | Used to deliver authentication emails (magic links) and, if needed, incident notifications. Receives email addresses. |
| GitHub | Source code hosting, CI/CD | Holds developer credentials and source code. No customer personal data is in the source repository. |
| Stripe | Billing and payment processing | Holds billing address and payment card data — TrueStake stores only a Stripe customer ID, not the underlying payment data. |
Doppler (Secrets management) is listed for completeness — Holds service credentials only — no customer PII;
The following data sources receive queries about public Ethereum blockchain data only — no personal data, no email address, no identity linkage. They are data sources, not PII sub-processors:
| Vendor | What they receive |
|---|---|
| CoinGecko | Price oracle queries (public ETH/USD market data) |
| Kraken | Price oracle queries (public ETH/USD market data) |
| Coinbase | Price oracle queries (public ETH/USD market data) |
| beaconcha.in | Validator index lookups (public Ethereum network data) |
| Lighthouse (self-hosted) | Validator indices for beacon-chain queries; own-operated node, no third-party data sharing |
| Reth (self-hosted) | Block number and log queries; own-operated node, no third-party data sharing |
The infrastructure vendors listed above hold industry certifications:
- Supabase — SOC 2 Type II
- Vercel — SOC 2 Type II
- Sentry — SOC 2 Type II
- Cloudflare — SOC 2 Type II
- Stripe — PCI DSS Level 1
Honest deferral — formal DPAs
Formally executed data-processing agreements with Supabase, Vercel, Cloudflare, Resend, Sentry, and GitHub are a prerequisite before TrueStake admits any non-founder user. As of 2026-06-26, standard DPAs are available from each vendor but have not yet been formally executed. This is a known gap with a committed resolution point — not an oversight.
TrueStake will not onboard non-founder beta users until DPAs are signed with all PII sub-processors in active production use.
Vendor certifications (held by the vendor, not by TrueStake)
TrueStake itself holds no SOC 2, ISO 27001, or PCI certification. Their certifications do not transfer to TrueStake's application layer — they cover the vendor's own infrastructure and operations.
This list reflects TrueStake's sub-processor roster as of 2026-06-26. It will be updated when vendors are added or removed.
Citations
- [1]SECURITY.md — TrueStake responsible disclosure policy· Public security policy