Annex II to the Data Processing Agreement
Sub-processors
Last updated: June 2026
We use the carefully chosen third parties below to operate the Covered Beauty platform. Each is bound by its own Data Processing Agreement and has been assessed for technical and organisational security measures. We will notify subscribers at least 30 days before adding or replacing any sub-processor.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Database, authentication and file storage | United Kingdom (eu-west-2) | View |
| Vercel Inc. | Web hosting and edge runtime | United States (with EU data residency) | View |
| Stripe Payments Europe Ltd. | Payment processing for booking deposits | Republic of Ireland | View |
| Resend Inc. | Transactional email delivery | United States (Standard Contractual Clauses) | View |
| Cloudflare, Inc. | Bot-detection / human-verification challenges (Turnstile) on signup, login and the public booking form | United States (Standard Contractual Clauses) | View |
| Twilio Ireland Limited | Optional SMS appointment reminders to end clients (only enabled when the salon switches reminders on) | Republic of Ireland | View |
| Google Ireland Limited | Optional Google Calendar sync for salon owners (only enabled when the owner explicitly connects their Google account) | Republic of Ireland | View |
| Functional Software, Inc. d/b/a Sentry | Server-side error and performance monitoring (no PII is intentionally logged; only stack traces, request paths, and salon ids in tags) | United States (Standard Contractual Clauses + UK Addendum) | View |
Notifications
We will notify the account owner by email at least 30 days before any new sub-processor begins processing personal data. If you object to a new sub-processor, please contact us at hello@covered.technology within the notice period.
Hamr Ltd