GDPR Article 28
Subprocessors
Last updated May 15, 2026
Rule Guardian uses the third-party services below to operate. Each is bound by a Data Processing Agreement (or equivalent) and processes only the data needed for its function. We notify users by email at least 30 days before adding or replacing any subprocessor.
| Subprocessor | Purpose | Data shared | Location | DPA |
|---|---|---|---|---|
| Supabase | Primary database (Postgres) and authentication | Account, brokerage metadata, encrypted OAuth tokens, trade history | USA | View DPA |
| Stripe | Payment processing and subscription billing | Name, email, billing address, last 4 of card, charge history | USA | View DPA |
| Loops | Transactional and lifecycle email | Email address, name, segmentation properties | USA | View DPA |
| Sentry | Error monitoring | Stack traces, user agent, IP address, redacted error context | USA | View DPA |
| BetterStack | Uptime and log monitoring | Service availability metrics, log lines (no PII by default) | USA | View DPA |
| Vercel | Application hosting, edge network, bandwidth | Request logs (URL, status, IP), deployment artifacts | USA + global edge | View DPA |
| Rithmic | Brokerage integration (market data and order routing) | Account credentials and trade activity for accounts you connect | USA | On request |
| Tradovate | Brokerage integration (market data and order routing) | Account credentials and trade activity for accounts you connect | USA | On request |
| Cloudflare | DNS resolution | DNS lookups (no application payload) | USA | View DPA |
Questions about this list, or want to be notified when it changes? Email privacy@ruleguardian.co. See also our Privacy Policy.