Legal & compliance

Subprocessors

Last updated 3 May 2026

Subprocessors

Last updated: 3 May 2026.

We use the following subprocessors to deliver the Service. We give Operators at least 30 days' notice (by email and a banner in the Staff Console) before adding or replacing any subprocessor. To object to a change, write to privacy@waypointtms.com.

Subprocessor Purpose Personal data processed Region Transfer mechanism
Replit, Inc. Application hosting, autoscale, edge proxy, TLS termination All application traffic and storage United States, with EU-region failover EU SCCs 2021/914 (Module 2) + UK IDTA
Neon, Inc. Managed PostgreSQL database All Operator records EU (Frankfurt primary) N/A — data stays in EEA
Resend, Inc. Transactional email delivery (login alerts, password resets, ticket replies, invoices) Recipient email and message body United States EU SCCs 2021/914 (Module 3) + UK IDTA
Expo Application Services iOS / Android build pipeline, over-the-air update distribution Build metadata only — no end-user PII United States EU SCCs 2021/914 (Module 3) + UK IDTA
Sentry / Functional Software, Inc. Application error monitoring Stack traces, request id, user id (no payload bodies) United States EU SCCs 2021/914 (Module 3) + UK IDTA
Stripe Payments Europe Ltd. Billing and payment processing Operator billing contact, invoice line items, card token Ireland (EU) N/A — data stays in EEA

Onward subprocessors

Each subprocessor maintains its own subprocessor list. We review their lists at engagement and at least annually thereafter.

Historical changes

Date Change
2026-05-03 Initial publication.

← All legal documents