Sub-processors
Last updated: 21 June 2026
TravelCS engages the following sub-processors to deliver the service. We publish this list to meet our transparency obligations under Article 28(2) and Article 28(3)(d) GDPR and to give operators advance notice of any change. We will notify operators of new sub-processors at least 14 days before they are added so they can object under their DPA with us.
1. Current sub-processor register
| Sub-processor | Role | Data categories | Hosting region | Transfer basis (summary) | DPA |
|---|---|---|---|---|---|
| Supabase Inc. (via Lovable Cloud) | Managed Postgres database, authentication, file storage, edge runtime | All operator + customer records (booking_leads, leads, messages, auth.users, etc.) | EU (Frankfurt) — primary; US fallback only if explicitly enabled | EEA hosting by default. If US infrastructure is enabled: EU SCCs 2021/914 Module 3 (processor-to-processor) + Supabase DPA. No DPF reliance. | View DPA |
| Lovable AB | Hosting platform (Lovable Cloud), AI gateway, deploy pipeline | Operator metadata, deployment logs, prompts/completions routed via AI gateway | EEA (Sweden) + EU edge | EEA-only processing for platform + AI gateway. Lovable's own sub-sub-processors are governed by Lovable's DPA. | View DPA |
| Google LLC (Workspace / Gmail API) | Email channel — read/send on behalf of operators that connect a Google account | Email message metadata + bodies authorised by the operator via OAuth | Global (Google data centres); EU region available | EU–US Data Privacy Framework (Google LLC is an active participant) PLUS EU SCCs 2021/914 Module 2 as fallback under the Google Cloud DPA. | View DPA |
| Microsoft Corporation (Microsoft 365 / Graph API) | Email + calendar channel — read/send on behalf of operators that connect Microsoft 365 | Email message metadata + bodies, calendar events authorised by the operator via OAuth | EU Data Boundary for Microsoft 365 commercial customers | EU Data Boundary keeps customer data inside the EEA. For any residual transfers: EU–US Data Privacy Framework (Microsoft Corporation is an active participant) PLUS EU SCCs 2021/914 Module 2 under the Microsoft Products and Services DPA. | View DPA |
| Resend, Inc. | Transactional email delivery (DSAR verification, password reset, system alerts) | Recipient email address, subject, message body | US (with EU SCCs in place) | EU SCCs 2021/914 Module 2 under the Resend DPA. Resend is NOT a DPF participant — SCCs are the sole transfer mechanism. | View DPA |
| OpenAI, L.L.C. (via Lovable AI Gateway) | Large Language Model provider — powers AI classification, drafting and prioritisation features (ROPA activity A4) | Message bodies and minimal context required for the prompt (no PII in system prompts, no model-side persistence, no training on customer data) | US (Non-EEA); EU routing used where the gateway exposes EU endpoints | EU SCCs 2021/914 Module 2 under the OpenAI DPA (signed by Lovable as our gateway intermediary). OpenAI is NOT currently a DPF participant — SCCs are the sole transfer mechanism. Zero-retention API mode is enabled via the Lovable AI Gateway. | View DPA |
2. Chapter V transfer mapping (per sub-processor)
For each non-EEA sub-processor we publish the specific Chapter V mechanism we rely on — the signed SCC Module under Commission Decision 2021/914, the adequacy decision (where one applies, e.g. the EU–US Data Privacy Framework), DPF participant status, and the signed DPA reference. EEA-only processors are listed for completeness with no transfer mechanism required.
| Sub-processor | Primary region | Adequacy decision | SCC Module | SCC version | DPF participant | Signed DPA |
|---|---|---|---|---|---|---|
| Supabase Inc. (via Lovable Cloud) | EEA | — | Module 3 | Commission Decision 2021/914 (4 June 2021) | No | Supabase DPA v2024-04, countersigned via Lovable Cloud master agreement |
| Lovable AB | EEA | — | Not required (EEA) | n/a | N/A (EEA) | Lovable DPA v2025, countersigned at TravelCS account creation |
| Google LLC (Workspace / Gmail API) | Non-EEA | EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795, 10 July 2023) | Module 2 | Commission Decision 2021/914 (4 June 2021), incorporated by reference in the Google Cloud DPA | Yes | Google Workspace / Cloud DPA (current version, accepted at OAuth connection) |
| Microsoft Corporation (Microsoft 365 / Graph API) | Non-EEA | EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795, 10 July 2023) | Module 2 | Commission Decision 2021/914 (4 June 2021), incorporated in the Microsoft Products and Services DPA | Yes | Microsoft Products and Services DPA (current version, accepted via tenant admin consent) |
| Resend, Inc. | Non-EEA | — | Module 2 | Commission Decision 2021/914 (4 June 2021), incorporated by reference in the Resend DPA | No | Resend DPA (current version, countersigned at account creation) |
| OpenAI, L.L.C. (via Lovable AI Gateway) | Non-EEA | — | Module 2 | Commission Decision 2021/914 (4 June 2021), incorporated by reference in the OpenAI DPA | No | OpenAI DPA (current version, countersigned via Lovable AI Gateway master agreement); zero-retention API mode |
Encryption in transit (TLS 1.2+) and at rest (AES-256) is applied on every sub-processor that handles customer content. A transfer impact assessment (TIA) is reviewed at least annually and after any relevant CJEU ruling.
3. Operator DPA
Every operator using TravelCS is offered our standard Data Processing Agreement, which incorporates the SCCs by reference where relevant. The current template is available at /dpa.
4. Changes to this list
We will notify operators of any addition or replacement of a sub-processor at least 14 days before the change takes effect, via in-app notice and email to the operator's admin contact. Operators may object in writing within that period; if we cannot offer a workaround, operators may terminate the affected service.
5. Contact
Questions about this register: dpo@travelcs.ai.