Data Processing & Sub-Processors
1. Data Controller
Abundera, Inc. ("Abundera") acts as the data controller for all personal data processed through the Abundera platform. We determine the purposes and means of processing your personal information and are responsible for ensuring it is handled lawfully and securely.
As data controller, Abundera:
- Decides what personal data is collected and why
- Ensures appropriate legal bases exist for processing (consent, contract performance, legitimate interest)
- Maintains data processing records as required by GDPR Article 30
- Implements technical and organizational security measures
- Manages sub-processor relationships and conducts vendor security assessments
2. Sub-Processors
Abundera engages the following third-party sub-processors to deliver our services. All sub-processors are contractually required to protect your data to standards equivalent to or exceeding our own. Each holds SOC 2 Type II certification or equivalent.
| Sub-Processor | Purpose | Data Processed | Location | DPA | Certifications |
|---|---|---|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, database, KV storage | All platform data | Global (300+ PoPs) | Cloudflare DPA | SOC 2 Type II, ISO 27001, PCI DSS Level 1 |
| Stripe, Inc. | Payment processing | Billing data, email | US/Global | Stripe DPA | SOC 2 Type II, PCI DSS Level 1 |
| Plaid, Inc. | Bank account linking | Financial account data | United States | Plaid DPA | SOC 2 Type II |
| Zoho Corporation (Zeptomail) | Transactional email (primary) | Email addresses, notification content | United States | Zoho DPA | SOC 2 Type II, ISO 27001 |
| Resend, Inc. | Transactional email (fallback) | Email addresses, notification content | United States | Resend DPA | SOC 2 Type II |
| Twilio, Inc. | SMS notifications | Phone numbers, message content | US/Global | Twilio DPA | SOC 2 Type II, ISO 27001 |
| Amazon Web Services (KMS only) | Key management (envelope encryption) | No user data — cryptographic key material only | Single US region | AWS DPA | SOC 2 Type II, ISO 27001, FIPS 140-2 Level 3 |
| Lob, Inc. | Physical mail delivery (Abundera Letters) | Recipient names, addresses, letter content | United States | Lob DPA | SOC 2 Type II |
No user data is shared with advertising networks, analytics vendors, data brokers, or third-party AI model providers. Abundera runs AI models on private, dedicated infrastructure.
3. Data Transfer Safeguards
Abundera takes the following measures to protect personal data during international transfers:
- Standard Contractual Clauses (SCCs): All sub-processors processing data outside the EEA are bound by EU-approved Standard Contractual Clauses for international data transfers.
- US-only platform: Abundera operates exclusively in the United States until further notice. All persistent data is stored in the US. International expansion is not on the current roadmap. If international markets are served in the future, appropriate transfer mechanisms (DPF certification, SCCs) will be implemented.
- Encryption in transit: All data transfers between Abundera and sub-processors are encrypted with TLS 1.3.
- Encryption at rest: Sensitive data is encrypted with AES-GCM at the application layer before being transmitted to any sub-processor's storage.
- Data minimization: Each sub-processor receives only the minimum data necessary to perform its function. For example, Stripe receives only billing data, never financial account details.
4. Sub-Processor Change Notification
Abundera will provide at least 14 days advance written notice before engaging a new sub-processor or materially changing how an existing sub-processor processes personal data. Notifications will be sent via:
- Email to the account holder's registered email address
- Updates to this page with a revised "Last updated" date
- In-app notification in the Abundera dashboard
If you object to a new sub-processor, you may contact us within the 14-day notice period. We will work with you to resolve the concern, which may include providing an alternative data processing arrangement or, if no resolution is possible, allowing you to terminate your subscription without penalty.
5. Vendor Security Assessments
Before engaging any sub-processor, Abundera conducts a security assessment that evaluates:
- SOC 2 Type II report or equivalent third-party audit
- Data encryption practices (at rest and in transit)
- Access control and authentication mechanisms
- Incident response capabilities and breach notification timelines
- Data retention and deletion policies
- Regulatory compliance (GDPR, CCPA, applicable financial regulations)
Assessments are reviewed annually or when material changes occur in the sub-processor's service or security posture.
6. Data Processing Records
Abundera maintains records of all data processing activities as required under GDPR Article 30, including:
- Categories of data subjects and personal data processed
- Purposes of processing
- Recipients (sub-processors) who receive personal data
- Data transfers to third countries and safeguards applied
- Retention periods for each data category
- Technical and organizational security measures
These records are available to supervisory authorities upon request.
7. Contact
For questions about our data processing practices, to request a copy of a sub-processor DPA, or to raise concerns about a sub-processor change:
Abundera, Inc.
Attn: Privacy
200 W Sahara Ave, Unit 3301
Las Vegas, NV 89102
privacy@abundera.ai