Alpomi Sub-processors
Last updated: 17 April 2026 · Version 2026.04.17
This page lists the third-party service providers ("Sub-processors") that Alpomi Ltd engages to deliver the Alpomi business-intelligence platform. It is maintained in line with our Privacy Policy and our customer Data Processing Agreement.
Our commitments
- We contractually require every Sub-processor to provide at least the same level of data-protection obligations we owe to our Customers under our DPA.
- Each Sub-processor has a signed Data Processing Addendum with Alpomi.
- Cross-border transfers are covered by UK/EU adequacy, the UK International Data Transfer Agreement / UK Addendum, the EU Standard Contractual Clauses (2021 modules), and/or the EU–U.S. Data Privacy Framework (where the Sub-processor is certified), supported by technical measures such as encryption in transit and at rest.
- We perform due diligence (privacy, security, and reliability) before onboarding a new Sub-processor and annually thereafter.
Change-notification policy
We will update this page at least 30 days before a new Sub-processor begins processing Customer Data. Customers with an active subscription may subscribe to change notifications by emailing privacy@alpomi.com. A Customer who reasonably objects to a new Sub-processor on legitimate data-protection grounds may terminate the affected Service under the procedure in our DPA.
1. Infrastructure and storage
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, storage and realtime — core application database. | Germany — eu-central-1 (Frankfurt) | Within EEA — no restricted transfer. DPA in place; Supabase affiliate access from the US covered by EU SCCs + UK Addendum. |
| Amazon Web Services (AWS) | Lambda functions (website indexer), SQS queues (asynchronous jobs), CloudWatch logs. | United Kingdom — eu-west-2 (London) | Within UK — no restricted transfer. DPA in place; AWS affiliate / support access from the US covered by EU SCCs + UK Addendum. |
| Vercel | Application hosting, edge runtime, CDN and build pipeline for the marketing site. | United States (global edge network) | EU SCCs + UK Addendum; DPA in place |
| Upstash | Managed Redis cache (rate-limiting, session cache, short-lived queues). | Primary region: EU (eu-west-1, Ireland) — US affiliate access | Within EEA for primary processing. EU SCCs + UK Addendum for US affiliate access; DPA in place. |
2. Payments and communications
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Subscription billing, payment processing, invoicing, dunning. | Ireland (controller for card data); United States (group affiliates) | Stripe acts as a separate controller for card data; EU SCCs + UK Addendum for inter-group transfers |
| Resend | Transactional email delivery (sign-up, password reset, billing receipts, product notifications). | United States | EU SCCs + UK Addendum; DPA in place |
3. AI model providers
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| OpenAI, L.L.C. | AI model inference via provider API. | United States | EU SCCs + UK Addendum; zero- or short-retention API configuration; data not used to train models |
| Anthropic PBC | AI model inference via provider API. | United States | EU SCCs + UK Addendum; zero-retention configuration where available; data not used to train models |
| Google LLC — Gemini API | AI model inference via provider API. | United States / EU (multi-region) | EU SCCs + UK Addendum; paid API does not use prompts for training |
| Perplexity AI, Inc. | AI model inference via provider API. | United States | EU SCCs + UK Addendum; API-tier data not used for training |
4. Customer-authorised integrations (data sources)
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC — Ads, Analytics 4, Search Console, Tag Manager | Customer-authorised data source: pulls campaign, analytics, search and tag data into the Platform. | United States / Global | EU–U.S. Data Privacy Framework and its UK Extension; EU SCCs + UK Addendum |
| Meta Platforms Ireland Limited | Customer-authorised data source: pulls Facebook and Instagram Ads data into the Platform. | Ireland (primary); United States (affiliates) | EU SCCs + UK Addendum for inter-group transfers |
| Shopify International Limited | Customer-authorised data source: pulls orders, customers, products and inventory into the Platform. | Ireland (European customers); Canada (group) | UK and Canadian adequacy; EU SCCs + UK Addendum for transfers outside the EEA |
| Taobao / Alibaba Group | Customer-authorised data source: pulls e-commerce data where Customers operate on Taobao. | People's Republic of China | EU SCCs + UK Addendum plus transfer-impact assessment; restricted to explicitly connected accounts |
Notes
- Customer-authorised integrations (section 4) only receive or return data when a Customer actively connects their account. They act as independent controllers for the underlying source data; Alpomi acts as a processor for the copy ingested into the Platform.
- AI providers (section 3) are used only for inference on prompts Alpomi or its Customers submit. We configure each provider, where offered, for zero-retention or short-retention API use and disable training on customer data.
- Stripe is a separate controller for card data under Stripe's own privacy terms; Alpomi never stores raw card numbers.
Signed copies of DPAs
The list above is the public version of our sub-processor register. Signed copies of the underlying Data Processing Agreements — the Alpomi customer DPA and each sub-processor DPA / SCC / UK Addendum we hold — are available on request to any Customer or prospective Customer under NDA. Email privacy@alpomi.com with the names of the agreements you would like to review and we will respond within 5 working days.
Contact
Questions about our Sub-processors or transfer mechanisms: privacy@alpomi.com.
Featured Articles
View all
Best Supermetrics Alternative for Agencies 2026
Compare Supermetrics alternatives for agencies: flat pricing, white-label reporting, and unified dashboards. No per-connector fees.
How to Reduce Client Reporting Time as a Marketing Agency
Cut client reporting from 2-3 days to hours. Practical steps: standardise templates, automate data collection, and leverage AI for insights.
Why Reporting Takes 2-4 Days Per Month Per Client (And How to Fix It)
Agency reporting takes 2-4 days per client per month. Here's how to cut it to under 5 hours with automation and white-label tools.