Subprocessor List
This list identifies third-party providers that may process personal data in connection with the Helionix platform. Active providers are used for the core service. Conditional providers are used only if the relevant feature or environment configuration is enabled.
The Customer remains responsible for deciding whether the Platform is appropriate for its own categories of data and data subjects. This list should be read together with the Data Processing Agreement and Privacy Policy.
Active subprocessors and providers
| Provider | Status | Role / Purpose | Data | Transfer / Safeguards | Notes |
|---|---|---|---|---|---|
| Supabase | Active | Infrastructure processor/subprocessor Database, authentication, storage, audit records and realtime services. | Account data, tenant data, project data, worker records, documents, logs, consent and DSAR records. | As configured for the Supabase project and its infrastructure providers. Supabase DPA and contractual security measures. | Core platform service. |
| Vercel | Active | Hosting and deployment processor Application hosting, serverless runtime, deployment and operational logs. | Request metadata, runtime logs, deployment metadata and technical identifiers. | Vercel infrastructure locations and subprocessors. Vercel DPA and security controls. | Core hosting service. |
| Stripe | Active | Payment provider; controller and/or processor depending on the activity. Checkout, subscriptions, payment processing, billing portal, invoice/payment evidence. | Billing contact data, customer identifiers, subscription and invoice metadata, payment status and tax/VAT data. | Stripe infrastructure and service providers. Stripe DPA and payment industry security controls. | Card data is handled by Stripe, not stored by Helionix. |
| Resend | Active | Transactional email processor Transactional emails, confirmations, DSAR notifications, billing and partner messages. | Recipient email, message metadata and message content. | Resend infrastructure and listed subprocessors. Resend DPA and subprocessors list. | Email body may contain personal data depending on the workflow. |
Conditional providers
| Provider | Status | Role / Purpose | Data | Transfer / Safeguards | Notes |
|---|---|---|---|---|---|
| Vercel Web Analytics / Speed Insights | Conditional | Analytics and performance telemetry provider Website analytics and performance monitoring when explicitly enabled. | Aggregated page and performance telemetry; sensitive data must not be placed in URLs or custom events. | Vercel infrastructure. Vercel DPA and product privacy controls. | Currently gated by environment flags. |
| Google reCAPTCHA | Conditional | Anti-abuse provider Bot and abuse prevention for public/auth forms when configured. | CAPTCHA token, IP/browser signals and security telemetry processed by Google. | Google infrastructure. Google Cloud/Workspace data processing terms where applicable. | Frontend is currently reCAPTCHA-only if CAPTCHA is enabled. |
| Mapbox | Conditional | Map and geofence UI provider Map rendering and geofence editing when Mapbox token is configured. | Map interaction telemetry and technical identifiers; attendance GPS validation remains governed by the platform workflow. | Mapbox infrastructure and subprocessors. Mapbox privacy and subprocessor terms. | Only active if Mapbox is selected for production map/geofence UI. |
| Upstash Redis | Conditional | Rate limiting infrastructure provider Rate limiting and abuse prevention when Redis credentials are configured. | Rate-limit keys that may include IP or email-derived identifiers. | Upstash infrastructure. Upstash DPA. | Only active when production env enables Upstash Redis. |
Material additions or replacements of active subprocessors will be reflected in this list. Where required by the DPA or applicable law, Helionix will provide appropriate notice before the change takes effect.