Legal document \u00b7 Version 1.0
Subprocessors
- Effective date
- 2026-01-01
- Last updated
- 2026-04-21
- Document ID
- WS-LEG-SUB-001
- Supersedes
- None
Notice. This page is informational. Sub-processor changes are governed by the executed Data Processing Addendum. Controllers can subscribe to change notifications by emailing privacy@wavestar.space with the subject line “Sub-processor notifications”.
\u00a7 1. Infrastructure and hosting
The physical layer of the Platform. Compute, storage, and networking sit behind our tenant-isolation wrappers; the provider does not have access to plaintext application data.
Infrastructure
- Amazon Web Services, Inc.
- Primary cloud infrastructure
Regions: us-east-1, us-west-2, eu-west-1. Purpose: compute, storage, networking, KMS. Data categories: all customer data, encrypted at rest with customer-managed keys where available.
- Cockroach Labs, Inc.
- Managed distributed SQL
Region: us-east-1. Purpose: registry, attestation, and accounting storage. Data categories: identifiers, transaction metadata.
- Cloudflare, Inc.
- Edge network, DDoS mitigation, WAF
Purpose: TLS termination, traffic management, bot management. Data categories: IP addresses, request headers, routed traffic.
\u00a7 2. Business systems
Billing, support, communications, and related commercial systems. Data categories are generally account and contact data, not cleared-transaction data.
Business systems
- Stripe, Inc.
- Payment processing and billing
Region: United States. Purpose: invoicing, payment collection, tax calculation. Data categories: billing contacts, invoice data, limited payment-method metadata (Stripe retains card numbers).
- Plaid Inc.
- Banking connectivity
Region: United States. Purpose: bank-account verification and ACH on-boarding. Data categories: account holder name, account number, routing number (tokenised).
- SendGrid (Twilio Inc.)
- Transactional email
Region: United States. Purpose: delivery of transactional emails (password resets, alerts, notifications). Data categories: email addresses, message contents.
\u00a7 3. Observability and analytics
Operational telemetry and pseudonymised product analytics. No personal data is sent without consent where required; session and user identifiers are pseudonymous.
Observability and analytics
- Functional Software, Inc. (Sentry)
- Application performance monitoring and error tracking
Region: United States / European Union. Purpose: error aggregation, performance tracing. Data categories: pseudonymous session IDs, stack traces, truncated request metadata. PII scrubbing applied at collection.
- PostHog, Inc.
- Product analytics
Region: European Union. Purpose: pseudonymous product analytics. Data categories: pseudonymous user IDs, page events, feature flags. IP truncation at collection. Consent required outside the United States.
\u00a7 4. Notification and change process
We update this page within five business days of any change. For enterprise customers on an executed DPA, we provide at least 30 days’ notice of new sub-processors or changes in data category or processing location.
Subscribe to the change feed by emailing privacy@wavestar.space with the subject line “Sub-processor notifications”. If a Controller objects to a new sub-processor on reasonable data protection grounds, the remedies are set out in the Data Processing Addendum.
Stay informed
Subscribe to sub-processor changes
Enterprise customers receive 30 days' advance notice before a new sub-processor is engaged. All updates are also reflected on this page.