1. Current sub-processors
Each entity below is bound by contractual data-protection terms with at least the same protections we owe you. We update this page when sub-processors change — see Section 2 below for how we notify you.
| Sub-processor | Purpose | Data categories | Hosting region |
|---|---|---|---|
| Vercel Inc. | Hosting for getwebstory.com and the webstoryapp.com dashboard. | Account & dashboard usage data, server logs, Customer Content delivered through the dashboard. | Global edge; primary US. |
| Supabase Inc. | Authentication and primary application database. | Email, hashed password, profile info, session tokens, Customer Content metadata, lead form submissions, integration tokens (encrypted). | AWS us-east-2 (Ohio, USA). |
| Cloudflare, Inc. | Cloudflare Stream (video), R2 (object storage), Workers, KV, D1, and viewer delivery for *.webstory.app and customer custom domains. | Customer Content (videos, images, canvas frames), End-Viewer IPs and request logs, viewer engagement events. | Global edge. |
| Stripe, Inc. (Stripe Connect + Stripe Tax) | Payment processing on behalf of customers via Stripe Connect Custom (we are the platform; the customer is the merchant of record). Stripe Tax computes tax on customer transactions. Stripe.js is also loaded into End-Viewer browsers when a Story has Squarespace ecommerce, so that card data is tokenized inside Stripe's iframe and never reaches our systems. | Customer Stripe Connect onboarding info (business and owner identity, address, DOB, tax ID, MCC, bank-account tokens), Connect account state, payment-intent metadata, buyer billing address and email, computed tax data, dispute/chargeback events. Card and bank-account numbers are tokenized client-side by Stripe.js and don't pass through us. | US, with EU/UK pinning per Stripe. |
| Functional Software, Inc. (Sentry) | Error monitoring and 5%-sampled session replay (text and inputs masked, media blocked). | Error stack traces, request metadata, masked session replays. | US. |
| Upstash, Inc. | Redis-based rate limiting. | IP addresses, request counts, rate-limit keys. | US / EU per region. |
| Campaign Monitor Pty Ltd | Marketing email lists for getwebstory.com; customer-driven list mapping when a customer enables the integration. | Subscriber email, name, list metadata; customer-defined fields when an integration is enabled. | Australia / US. |
| Mailgun (Sinch Email) | Transactional email for the marketing site forms (contact, newsletter). | Sender email, name, message body. | US or EU (per environment configuration). |
| Zapier, Inc. | Customer-driven webhook forwarding from your Webstory forms when you enable the integration. | Form-field values you have authorized to send. | US. |
| Shopify Inc. | Customer-driven cart and checkout in your Webstories when you connect a Shopify store. | Cart IDs, product IDs, viewer activity passed by your published Story; OAuth tokens stored encrypted on our side. | Global, per Shopify. |
| Squarespace, Inc. | Customer-driven Squarespace integration: read product catalog and inventory, create orders on the customer's Squarespace site after a buyer pays, receive fulfillment-status webhooks (order.update) and uninstall webhooks (extension.uninstall). OAuth scopes: website.products.read, website.orders, website.orders.read, website.inventory.read. | Encrypted OAuth access and refresh tokens (AES-256-GCM at rest, with separate IVs); product catalog metadata fetched on-demand; order line items, buyer email, billing/shipping address, and tax breakdown sent to Squarespace at checkout; per-subscription webhook secrets stored encrypted. | US. |
2. Notice of changes
We give existing customers at least 30 days’ email notice before adding or replacing a sub-processor that handles personal data. To object, reply to that notice within 30 days. If we can’t accommodate your objection, your sole remedy is to terminate your subscription before the change takes effect.
3. Contact
Questions about this list? hello@webstory.app.
Version history
- 1.2 — June 8, 2026— version synced with the Terms, Privacy Policy, and DPA on incorporation; this list is now published by Webstory Tech Inc., a British Columbia company. The sub-processors themselves are unchanged.
- 1.1 — May 7, 2026 — expanded the Stripe entry to reflect Stripe Connect Custom and Stripe Tax going live, including Stripe.js loading in viewer browsers; expanded the Squarespace entry with real OAuth scopes, encrypted token handling, and the order-creation/webhook flows.
- 1.0 — May 5, 2026 — initial publication.
