Subprocessors
Last Updated: June 16, 2026
Supload LLC uses the following third-party subprocessors to deliver the Supload service. Each subprocessor processes data only as necessary to provide the specific function described below.
We will update this page before engaging any new subprocessor and provide at least 30 days’ notice to Enterprise customers. Enterprise customers receive subprocessor change notifications automatically at the account administrator’s email address. All other customers may subscribe to notifications by emailing privacy@sup-load.com with the subject line “Subprocessor Notifications.”
Enterprise customers who object to a new subprocessor may contact legal@sup-load.com within the 30-day notice period. If the objection cannot be resolved, the Enterprise customer may terminate their agreement in accordance with their Enterprise plan terms.
Current Subprocessors
Infrastructure
| Subprocessor | Function | Data Processed | Infrastructure Location |
|---|---|---|---|
| Supabase, Inc. (hosted on Amazon Web Services) | Backend infrastructure — authentication, database, crash reporting, de-identified analytics, session management | Account information (email, name, user ID), de-identified usage analytics, crash reports, session tokens | United States (AWS US West) |
| Cloudflare, Inc. (Cloudflare Pages) | Hosting for the customer portal (subscription management, user allocation, billing) and the Supload marketing website | IP address (transient, used for routing and security — not stored by Supload), page requests | Global CDN (edge network) |
Authentication
| Subprocessor | Function | Data Processed | Infrastructure Location |
|---|---|---|---|
| Google LLC | Authentication (Google Sign-In) | Email address, display name, profile photo URL | United States |
| Apple Inc. | Authentication (Sign in with Apple), app distribution (App Store) | Email address (may be relay), display name | United States |
| Microsoft Corporation | Authentication (Enterprise SSO via Microsoft Entra ID) and authorization for Microsoft OneDrive account connection (MSAL) | Email address, display name, organization identifiers | United States |
Cloud Storage
| Subprocessor | Function | Data Processed | Infrastructure Location |
|---|---|---|---|
| Google LLC | Cloud storage integration (Google Drive) | User’s media files uploaded directly from device to user’s own Google Drive | United States |
| Dropbox, Inc. | Cloud storage integration (Dropbox) | User’s media files uploaded directly from device to user’s own Dropbox account | United States |
| Microsoft Corporation | Cloud storage integration (Microsoft OneDrive) | User’s media files uploaded directly from device to user’s own OneDrive account | United States |
Payment Processing
| Subprocessor | Function | Data Processed | Infrastructure Location |
|---|---|---|---|
| Stripe, Inc. | Subscription billing (secure web checkout) for Pro and Enterprise plans | Billing email, subscription status, last four digits of payment card — Supload never receives or stores full card numbers | United States |
Communications
| Subprocessor | Function | Data Processed | Infrastructure Location |
|---|---|---|---|
| Resend, Inc. | Email delivery (transactional notifications, usage digests) | Email address, notification content | United States |
Planned Subprocessors
None at this time. This page will be updated before any new subprocessor is engaged.
What Supload’s Servers Never Touch
Your photos and videos. Media files go directly from your device to your own cloud storage (Google Drive, Dropbox, or Microsoft OneDrive). They are never routed through, stored on, or processed by Supload’s servers.
Payment card information. Stripe processes all subscription billing (Pro and Enterprise) through a secure web checkout. Apple does not process Supload subscription payments. Supload receives subscription status and billing email only — never card numbers, bank account details, or payment credentials.
Authentication passwords. You sign in through Google, Apple, or your organization’s SSO. Supload never receives, stores, or processes your password. We receive only an authentication token and basic profile information (email, display name).
Cloud storage credentials. Your Google Drive, Dropbox, and OneDrive passwords are never shared with Supload. Cloud OAuth tokens are stored only in your device’s iOS Keychain (hardware-encrypted, accessible after first unlock, not synchronized to other devices) and are used solely to maintain your cloud connection. They are never stored on Supload’s servers.
Advertising data. We do not use advertising subprocessors, ad networks, or data brokers.
Analytics with PII. Usage analytics are stripped of personally identifying information before storage.
AI or ML training data. We do not use subprocessors for AI model training, machine learning, or automated profiling of user data.
Data Processing Agreements
Supload relies upon the standard data processing terms published by each subprocessor, including Google’s Data Processing Terms, Apple’s Data Processing Addendum, Supabase’s Data Processing Agreement, Cloudflare’s Data Processing Addendum, Dropbox’s Data Processing Agreement, Microsoft’s Data Protection Addendum, Stripe’s Data Processing Agreement, and Resend’s Data Processing Agreement. These standard terms include obligations for data protection, security, confidentiality, and compliance with applicable data protection laws including GDPR, CCPA, and other US state privacy laws.
For Enterprise customers who require a Data Processing Agreement between their organization and Supload LLC, a standard DPA will be available upon request at legal@sup-load.com.
Data Retention by Subprocessor
| Subprocessor | Data | Retention |
|---|---|---|
| Supabase (AWS) | Account information | Until account deletion |
| Supabase (AWS) | Terms acceptance record | 3 years after account deletion |
| Supabase (AWS) | Usage analytics | 28 days (auto-purged) |
| Supabase (AWS) | Crash reports | 90 days (auto-purged) |
| Supabase (AWS) | Audit trail | 1 year (auto-purged) |
| Supabase (AWS) | Session tokens | Session duration |
| Google / Apple / Microsoft | Authentication tokens | Session duration |
| Google Drive / Dropbox / OneDrive | User’s media files | Managed by the user in their own cloud storage account |
| Stripe | Billing email, subscription status | Per Stripe’s retention policy |
| Resend | Email delivery logs | Per Resend’s retention policy |
| Cloudflare | IP addresses | Transient (not stored by Supload) |
For complete retention details, see our Privacy Policy, Section 7.
International Data Transfers
All subprocessors are based in the United States or operate global infrastructure. For users in the European Economic Area (EEA), data transfers to the United States are governed by Standard Contractual Clauses (SCCs) and the data processing agreements maintained with each subprocessor. For details, see our Privacy Policy, Section 13.
Changes to This List
| Date | Change |
|---|---|
| March 24, 2026 | Initial publication. Includes Supabase, Cloudflare, Google, Apple, Microsoft, Dropbox, Resend. Stripe listed as planned. |
| June 16, 2026 | Microsoft OneDrive added as an active cloud-storage subprocessor (and Microsoft’s authentication role expanded to cover OneDrive connection via MSAL). Stripe moved from planned to current as the payment processor for Pro and Enterprise via secure web checkout. Apple removed as a payment-processing subprocessor (Apple remains a subprocessor for Sign in with Apple and App Store distribution). Cloud OAuth token storage corrected to device-only iOS Keychain (the prior “Supabase Vault” description was inaccurate). OneDrive and Stripe added to the retention table; Stripe added to the Data Processing Agreements list. |
Questions
Contact privacy@sup-load.com with any questions about our subprocessors or data processing practices.