Legal & compliance
Last updated 3 May 2026
Last updated: 3 May 2026.
We use the following subprocessors to deliver the Service. We give Operators at least 30 days' notice (by email and a banner in the Staff Console) before adding or replacing any subprocessor. To object to a change, write to privacy@waypointtms.com.
| Subprocessor | Purpose | Personal data processed | Region | Transfer mechanism |
|---|---|---|---|---|
| Replit, Inc. | Application hosting, autoscale, edge proxy, TLS termination | All application traffic and storage | United States, with EU-region failover | EU SCCs 2021/914 (Module 2) + UK IDTA |
| Neon, Inc. | Managed PostgreSQL database | All Operator records | EU (Frankfurt primary) | N/A — data stays in EEA |
| Resend, Inc. | Transactional email delivery (login alerts, password resets, ticket replies, invoices) | Recipient email and message body | United States | EU SCCs 2021/914 (Module 3) + UK IDTA |
| Expo Application Services | iOS / Android build pipeline, over-the-air update distribution | Build metadata only — no end-user PII | United States | EU SCCs 2021/914 (Module 3) + UK IDTA |
| Sentry / Functional Software, Inc. | Application error monitoring | Stack traces, request id, user id (no payload bodies) | United States | EU SCCs 2021/914 (Module 3) + UK IDTA |
| Stripe Payments Europe Ltd. | Billing and payment processing | Operator billing contact, invoice line items, card token | Ireland (EU) | N/A — data stays in EEA |
Each subprocessor maintains its own subprocessor list. We review their lists at engagement and at least annually thereafter.
| Date | Change |
|---|---|
| 2026-05-03 | Initial publication. |