Effective May 12, 2026. The vendors that process Customer Data on behalf of ROOF_OS, with purpose, data, and region.
| Vendor | Purpose | Data Categories | Region |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Compute, object storage, managed databases, networking | Customer Data, account data, audit logs, backups | us-east-1, us-west-2, eu-west-1 |
| Cloudflare, Inc. | Edge CDN, DDoS mitigation, WAF, Workers, R2, KV | Request metadata, IP, headers, public Platform assets | Global edge |
| Crossmint, Inc. | Card, ACH, wire, and stablecoin payment processing | Billing identity, transaction metadata, KYC artifacts | United States |
| MoonPay USA LLC | Fiat-to-crypto on-ramp and direct stablecoin checkout | Billing identity, transaction metadata, KYC artifacts | United States; EEA for EU customers |
| Hel.io Labs, Inc. | Stablecoin checkout flows operated atop MoonPay | Wallet addresses, transaction metadata | United States |
| Anthropic PBC | Large-language-model inference for Agents (no training on Customer Data) | Prompts, retrieved context, generated Output | United States |
| OpenAI, L.L.C. | Fallback LLM inference and embeddings (no training on Customer Data) | Prompts, retrieved context, generated Output | United States |
| Twilio Inc. | SMS, MMS, and voice communications with homeowners and leads | Phone numbers, message bodies, call metadata, recordings (opt-in) | United States; regional carriers worldwide |
| Mailgun Technologies, Inc. | Transactional and operational email | Email addresses, message bodies, delivery metadata | United States |
| PostHog Inc. | Product analytics, feature flags, session insight (cookieless mode) | Hashed user IDs, page events, performance metrics | United States; EU available on request |
| Functional Software, Inc. (Sentry) | Application error tracking and performance monitoring | Stack traces, request metadata, redacted user IDs | United States |
| Cloudflare Tunnel / Access | Zero-trust access for ROOF_OS engineering team | Engineering access logs | Global edge |
| GitHub, Inc. | Source control, CI, build artifacts | No Customer Data; code only | United States |
| 1Password (AgileBits Inc.) | Secrets management for ROOF_OS personnel | No Customer Data; staff credentials only | Canada |
A sub-processor is a third-party data processor engaged by ROOF_OS that has or potentially will have access to Customer Personal Data. Sub-processors are bound by written agreements that impose data-protection terms substantially equivalent to those between ROOF_OS and you, as required by GDPR Article 28(4) and analogous laws.
Before engaging a sub-processor we evaluate: (a) security posture (SOC 2, ISO 27001, penetration tests); (b) privacy compliance (GDPR, CCPA, LGPD, PIPEDA, UK GDPR); (c) data-transfer mechanism (Standard Contractual Clauses or equivalent for cross-border transfers); (d) sub-processor location and government-access regime; (e) financial stability and incident-response maturity. Engagement is approved by the Privacy and Security functions.
We email security and privacy contacts on file at least thirty (30) days before adding a sub-processor that will process Customer Personal Data. To receive notifications, subscribe at privacy@roof10x.com with the subject line "SUBSCRIBE — SUB-PROCESSOR UPDATES." Customers with reasonable objection rights under their Order Form or DPA may object in writing within the notice period; if we cannot reasonably accommodate the objection, the Customer may terminate the affected service for the unused portion of the prepaid term as the sole remedy.
Enterprise customers may execute the ROOF_OS Data Protection Addendum, which incorporates the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK Addendum. Request a counter-signable DPA at privacy@roof10x.com.
We do not provide governmental authorities with bulk or backdoor access to Customer Data. We will challenge overbroad requests, notify the affected Customer where lawfully permitted, and disclose only data strictly required by valid legal process.
Privacy & DPA: privacy@roof10x.com. Security questionnaires: security@roof10x.com. To receive sub-processor change notifications, subscribe per the section above.
