Sub-processors
Last updated 4 May 2026
To run Norrstone Vault we rely on a short list of service providers ("sub-processors"). They process personal data on our behalf and only under our written instructions, subject to a data processing agreement that includes GDPR Article 28 safeguards and, where data leaves the European Economic Area, Standard Contractual Clauses.
Insurance underwriting and claims handling are performed by independent insurer partners who are separate controllers, not sub-processors. Information sharing with an insurer only happens after you explicitly consent — see the Privacy Policy for details.
Current list
| Provider | Purpose | Data involved | Region |
|---|---|---|---|
| Supabase, Inc. | Primary database, authentication, file storage, background functions. | All account data, certificates, insurance data (including applicant legal name, date of birth, national identifier, phone, residential address — collected only when an insurance application is started), messages, notifications, audit logs. | EU — eu-central-1 (Frankfurt, Germany). |
| Vercel, Inc. | Hosting for the Norrstone Vault website and related web apps. | Request logs (IP, user-agent), session cookies, server-side render data. | US and EU edge (global CDN). |
| Stripe, Inc. | Payment processing for marketplace purchases and insurance premiums; seller payouts via Stripe Connect. | Payment amounts, currency, Stripe customer / invoice / payment-intent identifiers, billing email, seller KYC (held by Stripe, linked by account ID). | US (Standard Contractual Clauses). |
| Resend, Inc. | Transactional email delivery (sign-in links, claim links, receipts, notifications). | Recipient email, email subject and body, delivery status. | US (Standard Contractual Clauses). |
| Polygon public blockchain (via an RPC provider such as Alchemy or QuickNode) | Anchors a tamper-evident record of each issued certificate. | Certificate identifier, product specifications (metal, stones, origin, lab reference), token ID, transaction hash, custodial minter wallet address. No consumer name, email, address, or personal wallet address is ever written on-chain. | Public blockchain — globally replicated and immutable. |
| Sentry, Inc. | Error reporting for Supabase Edge Functions. Not used on the web apps or mobile app. | Error messages, stack traces, request IDs, and related record IDs (for example, the recipient email on a failed email-send attempt). | US (Standard Contractual Clauses) — EU region migration under review. |
| Expo, Inc. + Apple Push Notification service / Google Firebase Cloud Messaging | Mobile push notifications for the Norrstone Vault mobile app. | Device push token, user ID, notification title, body, and deep-link URL. | US and globally distributed (Apple and Google infrastructure). |
| Shopify, Inc. | Connects a jeweler's Shopify store to Norrstone so orders automatically produce draft certificates. | OAuth tokens, shop domain, merchant email (limited fields during OAuth). | US (Standard Contractual Clauses). |
| Google LLC / Apple Inc. | Sign-in with Google or Sign in with Apple, if you choose those options. | Only the minimum identity claims required to authenticate you (name, email, and the OAuth subject identifier). | US and globally distributed. |
Changes to this list
We will update this page whenever a sub-processor is added, removed, or materially changes role. If the change meaningfully affects how your personal data is handled we will also notify you by email or through the Service.
Questions
For questions about any of the providers listed above or to request a copy of a specific data processing agreement, contact privacy@norrstone.com.