Sub-processors
Last Updated: March 1, 2026
CloudLink uses the following third-party sub-processors to deliver our services. All sub-processors have executed Data Processing Agreements (DPAs) and are regularly reviewed for compliance with our security and privacy standards.
Update Notification: We provide 30 days advance written notice before adding new sub-processors. Subscribe to updates by emailing [email protected] with subject "Sub-processor Updates".
Current Sub-processors
| Sub-processor | Location | Purpose | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | United States | Cloud infrastructure hosting, compute, storage, and networking | Signed |
| Google Cloud Platform (GCP) | United States | Cloud infrastructure, BigQuery analytics, and AI/ML services | Signed |
| Microsoft Azure | United States | Cloud infrastructure for multi-cloud deployments | Signed |
| Cloudflare | United States | CDN, DDoS protection, DNS, and edge computing | Signed |
| Stripe | United States | Payment processing and subscription billing | Signed |
| Clerk | United States | Authentication, user management, and SSO | Signed |
| Resend | United States | Transactional email delivery | Signed |
| SendGrid (Twilio) | United States | Email delivery (fallback provider) | Signed |
| Vercel | United States | Website and dashboard hosting, edge functions | Signed |
| Sentry | United States | Error tracking and performance monitoring | Signed |
| Datadog | United States | Infrastructure monitoring and APM | Signed |
| PagerDuty | United States | On-call scheduling and incident management | Signed |
| Slack (Salesforce) | United States | Team communication and customer channels | Signed |
| Notion | United States | Internal documentation and knowledge base | Signed |
| GitHub (Microsoft) | United States | Source code management and CI/CD | Signed |
| Google Analytics | United States | Website analytics and conversion tracking | Signed |
Data Transfer Mechanisms
For transfers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) and ensure all sub-processors implement appropriate technical and organizational measures including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls and principle of least privilege
- Regular security audits and penetration testing
- Incident notification within 72 hours
Objection Process
If you object to a new sub-processor, notify us within 30 days at [email protected]. We will work with you to find an alternative arrangement or, if not possible, either party may terminate the affected services.