Subprocessors
Last updated: March 2026
CandleKeep uses the following third-party service providers (subprocessors) that process data on our behalf as part of providing the CandleKeep service.
| Subprocessor | Purpose | Data Processed | Location | Compliance | DPA Availability |
|---|---|---|---|---|---|
| Clerk | Authentication & user management | Email, name, profile image | US | SOC2 Type II | Available |
| PostHog | Product analytics | Usage events, device info (with consent) | EU (Frankfurt) | SOC2 Type II | Available |
| Railway | Application hosting & database | All application data | US | SOC2 Type II | Available |
| Railway Buckets | File storage | Uploaded documents | US | Via Railway SOC2 | Via Railway |
| Polar | Subscription billing | Email, subscription status, payment data (via their payment processor) | EU (Sweden) | GDPR self-certified* | Available |
| Cloudflare | DNS & email routing | Domain traffic metadata, email addresses (routing) | Global | SOC2 Type II, ISO 27001 | Available |
| Resend | Transactional email delivery | Email addresses, email content | US | SOC2 Type II | Available |
*GDPR compliance is self-reported by the vendor and has not been independently verified.
Data processing is governed by each vendor's standard data processing terms, which are incorporated by reference. For details on specific DPA arrangements, contact [email protected].
Changes to Subprocessors
We commit to providing at least 30 days' notice before adding new subprocessors. To subscribe to updates about subprocessor changes, contact us at [email protected].
Questions
If you have questions about our subprocessors, contact us at [email protected].