Sub-processors
This page is the authoritative current list of sub-processors Abundera, Inc. uses to operate our services. It is incorporated by reference into the Data Processing Addendum and the Privacy Policy.
We commit to giving enterprise subscribers at least thirty (30) days' advance notice before adding a new sub-processor or materially changing the data a sub-processor accesses, where required by applicable data-protection law or by a signed DPA. Subscribers may object in writing during that window, in which case we will offer a reasonable alternative or allow termination for cause.
1. Current sub-processors โ Abundera QR + Abundera QR Pro
| Sub-processor | Purpose | Data accessed | Location | Transfer mechanism | DPA / trust link |
|---|---|---|---|---|---|
| Cloudflare, Inc. | Compute (Workers, Pages Functions), database (D1), key-value store (KV), DNS, CDN, edge TLS termination | All account data (emails, Stripe customer IDs, shortcodes, destination URLs, scan records). Country and device-class only for scan events โ no IP, no raw user-agent written to storage. | United States (primary). Global edge network for CDN and KV hot cache. | EU Standard Contractual Clauses (SCCs) incorporated via Cloudflare's DPA. UK IDTA addendum for UK data. Swiss SCCs addendum for Switzerland. | Cloudflare DPA |
| Stripe, Inc. | Payment processing, subscription billing, invoicing, dunning, tax calculation (where enabled), chargeback handling | Email address, billing address (per Stripe's checkout flow), payment-method details (stored by Stripe; not by Abundera), subscription lifecycle events, payment history, tax jurisdiction. | United States (primary). Stripe has EU entities for EU customer data localization. | EU Standard Contractual Clauses (SCCs) incorporated via Stripe's DPA. UK IDTA addendum. PCI-DSS Level 1 certified for cardholder data. | Stripe DPA |
| Zoho Corporation (ZeptoMail) | Transactional email delivery: welcome, subscription cancellation, payment-failure notifications, Keep-Alive advance-notice emails | Email address and the email body itself. We do not send the email body through any third-party redirect or tracker; ZeptoMail delivers directly to your mail provider. | United States (ZeptoMail US region) / India (Zoho corporate). | EU Standard Contractual Clauses (SCCs) incorporated via Zoho's DPA. Zoho holds ISO 27001 and SOC 2 Type II certifications. | Zoho / ZeptoMail DPA |
2. Sub-processors โ Abundera Sign
The Abundera Sign product (e-signatures at sign.abundera.ai) uses the same infrastructure sub-processors listed above, plus the following Sign-specific services. Sign customers have a separate DPA packet; contact enterprise@abundera.ai for the Sign sub-processor list.
3. What we do not use
For the avoidance of doubt, at the version date of this page we do not use any of the following categories of sub-processor:
- Marketing or product-analytics platforms (no Google Analytics, Meta Pixel, Mixpanel, Amplitude, Segment, Hotjar, or equivalent).
- Customer-data-platform (CDP) vendors.
- Advertising networks or retargeting pixels.
- Customer-support chat tools that see user data.
- Third-party LLMs processing customer data (any production-time AI processing of customer data would require an amendment to this page and advance notice).
- Paid user-session-recording tools (FullStory, Logrocket, Pendo, etc.).
If we add any service in these categories, this page will be updated and subscribers notified per the change-notification commitment in Section 4.
4. Change-notification commitment
We commit to the following when making changes to the sub-processor list:
- New sub-processor: at least thirty (30) days' advance notice by email to enterprise subscribers and a posting here. Free and standard-Pro subscribers are notified via a banner in the dashboard on their next sign-in.
- Material change to the data a sub-processor accesses: same 30-day advance-notice process.
- Replacement of a sub-processor in the same category (e.g., switching transactional-email providers): at least fifteen (15) days' advance notice. Contractual data-protection obligations with the replacement will be at least equivalent to those with the departing provider.
- Immediate security exception: if we must suspend or replace a sub-processor on short notice to address an active security incident, we will notify promptly after the action and explain the rationale. This exception is used sparingly and in good faith.
Enterprise subscribers who have objected in writing during a notice window may request a reasonable alternative. If no alternative is feasible, the subscriber may terminate the affected service for cause with a prorated refund of the unused prepaid period.
5. Change log
| Date | Change |
|---|---|
| 2026-04-17 | Version 1.0 published. Lists Cloudflare, Stripe, and Zoho/ZeptoMail as the three sub-processors for Abundera QR and Abundera QR Pro. Establishes the 30-day advance-notice commitment. |
6. Contact
Questions about sub-processors, data-transfer safeguards, or the change-notification process: privacy@abundera.ai (preferred) or enterprise@abundera.ai.
Abundera, Inc., 200 W Sahara Ave, Unit 3301, Las Vegas, NV 89102, USA.