Version 1.0 · Last updated April 21, 2026
Subprocessors
BenefitsSafe uses the third-party services below to operate the platform. These companies process limited amounts of your data on BenefitsSafe's behalf under written contracts that require them to protect your information. This page is the authoritative list referenced by Appendix A of our Data Processing Agreement and Section 6 of our Privacy Policy.
What is a subprocessor?
Under GDPR Article 28 and CCPA §1798.140, a Nonprofit that uses BenefitsSafe is the data controller — it decides what Beneficiary data to collect and why. BenefitsSafe is the data processor— we act on the Nonprofit's instructions. The companies below are sub-processors — third parties that BenefitsSafe engages to deliver narrow slices of the service (hosting, email delivery, monitoring, etc.).
GDPR Article 28(2) requires us to list our sub-processors publicly and to give Nonprofit customers a meaningful opportunity to object before we add new ones. CCPA treats this disclosure as part of the "business purpose" transparency obligation under §1798.130. This page is how we satisfy both.
Current subprocessors
| Name | Purpose | Data categories | Location | Links |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing (Stripe Payments + Connect), card issuance (Stripe Issuing), subscription billing (Stripe Billing), Treasury Financial Accounts, Nonprofit ACH onboarding.Virtual cards are issued by Sutton Bank and Evolve Bank & Trust (Members FDIC) as Stripe Issuing partners. Stripe handles all PCI DSS Level 1 obligations; BenefitsSafe does not store full card numbers, CVVs, or full bank account numbers. | Nonprofit business info (legal name, EIN, beneficial owners); Beneficiary cardholder name, DOB, address, and SSN for KYC; card transaction data (merchant, MCC, amount, timestamp, approval status); Nonprofit bank-account details for payouts. | United States | |
| Sutton Bank | Card-issuing bank for Stripe Issuing. One of two partner banks that issue BenefitsSafe virtual cards. | Cardholder identity data (received via Stripe). | United States (Member FDIC) | |
| Evolve Bank & Trust | Card-issuing bank for Stripe Issuing. One of two partner banks that issue BenefitsSafe virtual cards. | Cardholder identity data (received via Stripe). | United States (Member FDIC) | |
| Amazon Web Services, Inc. | Primary cloud infrastructure: Aurora PostgreSQL database, S3 document storage, KMS key management. Database is encrypted at rest with AES-256 via AWS KMS.AWS maintains SOC 1, SOC 2 Type II, SOC 3, ISO 27001, and PCI DSS Level 1 certifications for the services we rely on. | All platform data at rest (encrypted). Encrypted database backups are retained per the IRS 7-year financial-records rule. | US-West (Oregon) primary; US-East (Virginia) secondary backup region. | |
| Vercel, Inc. | Application hosting and edge delivery for app.benefitssafe.com and benefitssafe.com. Stores encrypted environment variables for the running applications. | HTTP request metadata (path, IP, user-agent), deployment logs, edge cache entries. No persistent PII storage. | United States (global edge network). | |
| Cloudflare, Inc. | Authoritative DNS for benefitssafe.com. CDN + reverse-proxy for app.benefitssafe.com (sees HTTP request metadata for TLS-terminated traffic). Cloudflare Workers run the scheduled cron jobs that trigger internal reconciliation routes. | HTTP request metadata: IP address, user-agent, path, response status. No persistent PII storage. | United States (global edge). | |
| Postmark (ActiveCampaign) | Transactional email delivery: email verification, password reset, expense-approval notifications, billing receipts, compliance alerts. | Recipient email address, display name, message subject and body. | United States. | |
| Sentry (Functional Software, Inc.) | Error and performance monitoring for the application. Collects stack traces and context when an unhandled exception occurs so we can fix bugs quickly. | Pseudonymized error traces, user ID (not email), URL path, user-agent. Known PII patterns (SSN, card numbers) are scrubbed before submission via [lib/sentry-scrub.ts]. | United States. | |
| Upstash, Inc. | Serverless Redis used for API rate limiting and ephemeral caches. QStash used as the asynchronous job queue that off-loads heavy processing from Stripe webhooks. | Pseudonymized rate-limit keys and counters; job payloads referencing internal record IDs (no plaintext PII). | United States. | |
| Better Stack (Logtail) | Centralized application log storage and alerting. | Application log lines with PII redacted before emission (user IDs retained; emails, SSN, card numbers scrubbed). | United States / EU. | |
| Anthropic, PBC | Compliance Assistant AI (Claude) answers compliance questions posed by authorized Nonprofit staff. The prompt includes compliance context and the question; it does not include Beneficiary SSN, full card numbers, or bank credentials. | Question text, compliance context (policy IDs, program names). | United States. | |
| Composio, Inc. | Workflow-automation platform for org-level integrations that the Nonprofit elects to enable (for example, forwarding an approval to a Slack channel the Nonprofit owns). | Only the workflow-trigger metadata and payloads that the Nonprofit chooses to send through Composio. Disabled by default. | United States. | |
| Google LLC (Google OAuth) | Optional "Sign in with Google" for Nonprofit staff. Invoked only when a user chooses Google login. | Email address, name, profile image, Google account ID. | United States. | |
| Microsoft Corporation (Microsoft Entra ID) | Optional "Sign in with Microsoft" for Nonprofit staff. Invoked only when a user chooses Microsoft login. | Email address, name, Microsoft account ID. | United States. |
Who is not on this list
OFAC sanctions screening is performed by calling the US Department of the Treasury's public SDN search API directly. The Treasury is a government agency, not a commercial sub-processor, and we do not share Beneficiary data with any third-party screening vendor.
BenefitsSafe does notuse Plaid, Finicity, MX, Teller, or any other third-party bank-aggregation service. Nonprofit bank-account onboarding is handled exclusively through Stripe Connect's native flow.
Data-sharing principles
- BenefitsSafe does not sell personal data to any third party.
- Sub-processors are contractually bound to process data only on BenefitsSafe's documented instructions, consistent with the DPA between each Nonprofit and BenefitsSafe.
- Every sub-processor has signed a DPA or equivalent data-protection terms with BenefitsSafe.
- The data shared with each sub-processor is limited to what is strictly necessary for the function we rely on them for.
- BenefitsSafe reviews each sub-processor's security certifications (SOC 2, ISO 27001, PCI DSS, DPF) at least annually.
Changes to this list
BenefitsSafe will provide at least 30 days' notice before engaging a new sub-processor or replacing an existing one. Notice is delivered two ways: (1) an update to this page with an updated version number and effective date; and (2) an email to the privacy contact on file for each active Nonprofit. Nonprofits that object on reasonable data-protection grounds may terminate the affected subscription for cause and receive a pro rata refund of pre-paid fees, as described in Section 5.3 of the DPA.
International data transfers
Every sub-processor listed above is headquartered in the United States. Where a sub-processor also maintains EU infrastructure (for example, Better Stack), BenefitsSafe's account is provisioned against US infrastructure. Nonprofit and Beneficiary data does not leave the United States in the normal course of processing.
If BenefitsSafe adds a sub-processor located outside the US in the future, the transfer will be governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK IDTA/Addendum where UK data is involved, or the EU-US Data Privacy Framework where the recipient is DPF-certified.
Audit and accountability
BenefitsSafe relies on the following publicly verifiable certifications held by its sub-processors:
- AWS: SOC 1, SOC 2 Type II, SOC 3, ISO 27001, PCI DSS Level 1, HIPAA-eligible.
- Stripe: SOC 1, SOC 2 Type II, PCI DSS Level 1.
- Vercel: SOC 2 Type II, ISO 27001.
- Cloudflare: SOC 2 Type II, ISO 27001, PCI DSS.
BenefitsSafe's own SOC 2 Type II audit is planned for completion in Q3 2026. Progress is published at /security.
Contact
Questions about this list, DPA requests, or objections to a new sub-processor:
- Privacy: privacy@benefitssafe.com
- Legal / DPA: legal@benefitssafe.com
- Mail: BenefitsSafe, Oakland, California
Version history
| Version | Date | Changes |
|---|---|---|
| 1.0 | April 21, 2026 | Initial publication. |