Sub-Processors | Tutorbase

Tutorbase uses the third-party vendors below as sub-processors to operate the Service. Each is bound by a data processing agreement with us, processes personal data only on our instructions, and provides commitments on security and international transfers consistent with our Privacy Policy and Data Processing Addendum.

We will give subscribers at least 30 days' notice before adding a new sub-processor that handles personal data, where reasonably practicable. To receive change notifications, email privacy@tutorbase.com with the subject "Subscribe to sub-processor changes."

Key facts

Tutorbase publishes a public list of sub-processors at tutorbase.com/sub-processors.
Tutorbase commits to 30 days' advance notice before engaging a new sub-processor where reasonably practicable.
Tutorbase has appointed an EU representative under GDPR Article 27.
Tutorbase relies on the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum for personal data transferred outside the EEA or the United Kingdom.
Tutorbase preferentially selects sub-processors with SOC 2 Type II or ISO 27001 attestation for hosting, authentication, payments, and observability.
Tutorbase deletes customer data within 30 days of contract termination on request, except where law requires longer retention.

Sub-processor	Purpose	Data	Region	DPA
Supabase	Database, file storage, and authentication signals	Account data, subscriber-controlled customer data, application data	United States	View
Clerk	User authentication and session management	Email, name, password hash, sign-in metadata, device info	United States	View
Stripe	Payment processing via Stripe Connect (your organization is the merchant of record)	Billing details, payment method metadata, transaction data	United States; EU/UK for relevant cardholder data	View
Sentry	Error tracking and limited session replay for diagnosing issues	URLs, stack traces, masked replay events, user role, page area	European Union (eu.sentry.io)	View
PostHog	Product analytics and feature flags	Page views, feature usage events, anonymized device data	European Union (eu.i.posthog.com)	View
Resend	Transactional and marketing email delivery	Email address, message content, delivery metadata	United States	View
Vercel	Web hosting and edge content delivery for the marketing site and application	HTTP request logs, IP address (truncated), user agent	United States with global edge	View
Railway	Backend application and worker hosting	Application data in flight, logs	United States	View
Google (Tag Manager + Analytics 4)	Marketing-site analytics and tag management (loaded with your consent)	Page views, anonymized client identifiers, approximate location	United States	View
Google Calendar / Google Workspace APIs	Calendar synchronization for teacher availability, busy-time imports, and Tutorbase-managed lesson events	Teacher calendar metadata, busy-time events, Tutorbase lesson times, lesson titles, and locations	United States with global infrastructure	View
Google Maps	Office location map on the contact page (loaded when you view that page)	IP address, browser identifiers (set by Google when the embed loads)	United States	View

Supabase

DPA

Purpose: Database, file storage, and authentication signals
Data: Account data, subscriber-controlled customer data, application data
Region: United States

Clerk

DPA

Purpose: User authentication and session management
Data: Email, name, password hash, sign-in metadata, device info
Region: United States

Stripe

DPA

Purpose: Payment processing via Stripe Connect (your organization is the merchant of record)
Data: Billing details, payment method metadata, transaction data
Region: United States; EU/UK for relevant cardholder data

Sentry

DPA

Purpose: Error tracking and limited session replay for diagnosing issues
Data: URLs, stack traces, masked replay events, user role, page area
Region: European Union (eu.sentry.io)

PostHog

DPA

Purpose: Product analytics and feature flags
Data: Page views, feature usage events, anonymized device data
Region: European Union (eu.i.posthog.com)

Resend

DPA

Purpose: Transactional and marketing email delivery
Data: Email address, message content, delivery metadata
Region: United States

Vercel

DPA

Purpose: Web hosting and edge content delivery for the marketing site and application
Data: HTTP request logs, IP address (truncated), user agent
Region: United States with global edge

Railway

DPA

Purpose: Backend application and worker hosting
Data: Application data in flight, logs
Region: United States

Google (Tag Manager + Analytics 4)

DPA

Purpose: Marketing-site analytics and tag management (loaded with your consent)
Data: Page views, anonymized client identifiers, approximate location
Region: United States

Google Calendar / Google Workspace APIs

DPA

Purpose: Calendar synchronization for teacher availability, busy-time imports, and Tutorbase-managed lesson events
Data: Teacher calendar metadata, busy-time events, Tutorbase lesson times, lesson titles, and locations
Region: United States with global infrastructure

Google Maps

DPA

Purpose: Office location map on the contact page (loaded when you view that page)
Data: IP address, browser identifiers (set by Google when the embed loads)
Region: United States

Notes

“Region” describes the primary processing location of the sub-processor. Some operate global edge networks; the headline region reflects where their controllers and primary data stores are operated.
“Data” lists the categories of personal data most relevant to that sub-processor. It is not necessarily exhaustive and excludes derived or operational metadata.
Where a sub-processor is based outside your country of residence, transfers are governed by Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent transfer mechanisms as described in our Privacy Policy.
For an overview of our broader security practices, see our Security overview.