Alpomi Sub-processors
Last updated: 17 April 2026 · Version 2026.04.17
This page lists the third-party service providers ("Sub-processors") that Alpomi Ltd engages to deliver the Alpomi business-intelligence platform. It is maintained in line with our Privacy Policy and our customer Data Processing Agreement.
Our commitments
- We contractually require every Sub-processor to provide at least the same level of data-protection obligations we owe to our Customers under our DPA.
- Each Sub-processor has a signed Data Processing Addendum with Alpomi.
- Cross-border transfers are covered by UK/EU adequacy, the UK International Data Transfer Agreement / UK Addendum, the EU Standard Contractual Clauses (2021 modules), and/or the EU–U.S. Data Privacy Framework (where the Sub-processor is certified), supported by technical measures such as encryption in transit and at rest.
- We perform due diligence (privacy, security, and reliability) before onboarding a new Sub-processor and annually thereafter.
Change-notification policy
We will update this page at least 30 days before a new Sub-processor begins processing Customer Data. Customers with an active subscription may subscribe to change notifications by emailing privacy@alpomi.com. A Customer who reasonably objects to a new Sub-processor on legitimate data-protection grounds may terminate the affected Service under the procedure in our DPA.
1. Infrastructure and storage
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Managed Postgres database, authentication, storage and realtime — core application database. | Germany — eu-central-1 (Frankfurt) | Within EEA — no restricted transfer. DPA in place; Supabase affiliate access from the US covered by EU SCCs + UK Addendum. |
| Amazon Web Services (AWS) | Lambda functions (website indexer), SQS queues (asynchronous jobs), CloudWatch logs. | United Kingdom — eu-west-2 (London) | Within UK — no restricted transfer. DPA in place; AWS affiliate / support access from the US covered by EU SCCs + UK Addendum. |
| Vercel | Application hosting, edge runtime, CDN and build pipeline for the marketing site. | United States (global edge network) | EU SCCs + UK Addendum; DPA in place |
| Upstash | Managed Redis cache (rate-limiting, session cache, short-lived queues). | Primary region: EU (eu-west-1, Ireland) — US affiliate access | Within EEA for primary processing. EU SCCs + UK Addendum for US affiliate access; DPA in place. |
2. Payments and communications
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Subscription billing, payment processing, invoicing, dunning. | Ireland (controller for card data); United States (group affiliates) | Stripe acts as a separate controller for card data; EU SCCs + UK Addendum for inter-group transfers |
| Resend | Transactional email delivery (sign-up, password reset, billing receipts, product notifications). | United States | EU SCCs + UK Addendum; DPA in place |
3. AI model providers
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| OpenAI, L.L.C. | AI model inference via provider API. | United States | EU SCCs + UK Addendum; zero- or short-retention API configuration; data not used to train models |
| Anthropic PBC | AI model inference via provider API. | United States | EU SCCs + UK Addendum; zero-retention configuration where available; data not used to train models |
| Google LLC — Gemini API | AI model inference via provider API. | United States / EU (multi-region) | EU SCCs + UK Addendum; paid API does not use prompts for training |
| Perplexity AI, Inc. | AI model inference via provider API. | United States | EU SCCs + UK Addendum; API-tier data not used for training |
4. Customer-authorised integrations (data sources)
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC — Ads, Analytics 4, Search Console, Tag Manager | Customer-authorised data source: pulls campaign, analytics, search and tag data into the Platform. | United States / Global | EU–U.S. Data Privacy Framework and its UK Extension; EU SCCs + UK Addendum |
| Meta Platforms Ireland Limited | Customer-authorised data source: pulls Facebook and Instagram Ads data into the Platform. | Ireland (primary); United States (affiliates) | EU SCCs + UK Addendum for inter-group transfers |
| Shopify International Limited | Customer-authorised data source: pulls orders, customers, products and inventory into the Platform. | Ireland (European customers); Canada (group) | UK and Canadian adequacy; EU SCCs + UK Addendum for transfers outside the EEA |
| Taobao / Alibaba Group | Customer-authorised data source: pulls e-commerce data where Customers operate on Taobao. | People's Republic of China | EU SCCs + UK Addendum plus transfer-impact assessment; restricted to explicitly connected accounts |
Notes
- Customer-authorised integrations (section 4) only receive or return data when a Customer actively connects their account. They act as independent controllers for the underlying source data; Alpomi acts as a processor for the copy ingested into the Platform.
- AI providers (section 3) are used only for inference on prompts Alpomi or its Customers submit. We configure each provider, where offered, for zero-retention or short-retention API use and disable training on customer data.
- Stripe is a separate controller for card data under Stripe's own privacy terms; Alpomi never stores raw card numbers.
Signed copies of DPAs
The list above is the public version of our sub-processor register. Signed copies of the underlying Data Processing Agreements — the Alpomi customer DPA and each sub-processor DPA / SCC / UK Addendum we hold — are available on request to any Customer or prospective Customer under NDA. Email privacy@alpomi.com with the names of the agreements you would like to review and we will respond within 5 working days.
Contact
Questions about our Sub-processors or transfer mechanisms: privacy@alpomi.com.
Featured Articles
View all
Why E-Commerce Ads Are More Expensive and Less Effective -- And What the Best Operators Are Doing About It
Ad costs are up. ROAS is down. The creative that worked in 2021 does not work in 2025. This is not a targeting problem. The advertising environment structurally changed across four forces simultaneous
Why Shopify Is the Smartest Move Amazon Sellers Make in 2026
If Amazon suspended your account tomorrow, how long would your business survive? For most Amazon-only sellers the honest answer is uncomfortable. Here is the margin math, the data ownership argument,
The Platform Trap: How E-Commerce Vendor Lock-In Is Quietly Destroying Your Margins
Most e-commerce businesses are structurally trapped by the platforms they depend on and it is costing them thousands every month. Here is how vendor lock-in works across four layers, what it actually