Last updated: May 10, 2026
ROAS.to engages the third-party providers below (each a "Subprocessor") to deliver, host, secure, monitor, and improve the Service. The list is current as of the "Last updated" date and is part of our Data Processing Addendum (Annex 3).
Each Subprocessor is bound by a written agreement that includes data-protection obligations no less protective than those we owe to our Customers, including appropriate technical and organizational measures, sub-processor restrictions, and (where required) a GDPR-compliant DPA with EU Standard Contractual Clauses or other lawful international-transfer mechanism.
| Subprocessor | Role | Data accessed | Region | Posture / certifications |
|---|---|---|---|---|
| Vercel Inc. | Application hosting and CDN for the dashboard and marketing site (www.roas.to) | All Customer Data accessible to dashboard requests; HTTP request logs | United States (global edge) | SOC 2 Type II, ISO 27001, EU-US DPF; offers EU SCCs |
| Railway Corporation | Backend service hosting (analytics API, sync workers, automation, optimization, cloning, budget, Everflow integration) | All Customer Data processed by backend services | United States | SOC 2 Type II; offers EU SCCs |
| Neon Inc. | Managed PostgreSQL database hosting | All persisted Customer Data (encrypted at rest) | United States and EU regions; tenant-data region pinned to a single region | SOC 2 Type II, ISO 27001, HIPAA, GDPR DPA |
| Cloudflare, Inc. | Edge workers, CDN, DNS, KV cache, Cloudflare-for-SaaS custom hostnames, DDoS and bot mitigation | Edge request logs; tracking-technology event payloads in transit; KV cache for snippet variants | Global (anycast); EU + US hot paths | SOC 2 Type II, ISO 27001/27018, PCI-DSS, GDPR DPA, EU-US DPF |
| Upstash, Inc. | Redis (rate limiting, tenant cache) and QStash (critical email queue, scheduled tasks) | Rate-limit counters, tenant-scoped cache entries, queued email payloads | United States and EU regions | SOC 2, GDPR DPA |
| Subprocessor | Role | Data accessed | Region | Posture / certifications |
|---|---|---|---|---|
| Clerk, Inc. | User authentication, session management, identity | Account holder email, name, OAuth identities, session metadata | United States | SOC 2 Type II, ISO 27001, HIPAA, GDPR DPA |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | Error stack traces, request metadata, scrubbed payload context (no Facebook tokens, no plaintext PII) | United States and EU regions | SOC 2 Type II, ISO 27001, GDPR DPA, EU-US DPF |
| Resend (Resend, Inc.) | Transactional email delivery (account alerts, automation notifications, billing receipts, security notices) | Recipient email address, message subject and body | United States | SOC 2 Type II, GDPR DPA |
| Vercel Analytics (Vercel Inc.) | Anonymous aggregate page-view counting on the roas.to marketing site (cookieless; no client-side storage; IP truncated at the edge) | Truncated IP, request path, referrer category, viewport bucket — all aggregated, never linked to an individual | United States (global edge) | Covered by Vercel's GDPR DPA and EU-US DPF certification; relies on ePrivacy Art. 5(3) cookieless-analytics carve-out |
| Subprocessor | Role | Data accessed | Region | Posture / certifications |
|---|---|---|---|---|
| Anthropic, PBC | AI model API for ad creative generation, account-health summaries, copy editing, audience analysis, creative strategy | Prompt content (ad copy, anonymized performance metrics, brand context); no Facebook tokens, no plaintext PII of end users | United States | SOC 2 Type II, GDPR DPA, EU SCCs; Anthropic API contractually does not train on submitted data |
| OpenAI, L.L.C. | AI model API used for selected AI features | Prompt content (ad copy, anonymized performance metrics, brand context); no Facebook tokens, no plaintext PII of end users | United States | SOC 2 Type II, GDPR DPA, EU SCCs, EU-US DPF; OpenAI API contractually does not train on submitted data |
| Google LLC (Gemini API) | AI model API used for image generation (Gemini image models) and selected text AI features | Prompt content (ad creative briefs, brand context, reference images uploaded for image generation); no Facebook tokens, no plaintext PII of end users | United States | SOC 2 Type II, ISO 27001/27017/27018, GDPR DPA, EU SCCs, EU-US DPF; Gemini API paid tier contractually does not use prompts or responses to improve Google products |
AI providers receive only the prompt content needed to fulfill the specific AI feature you invoke. We do not send Facebook tokens, app secrets, or plaintext personal-data fields of end users to AI providers. We use these providers under their commercial API terms, which prohibit training their general-purpose models on submitted content.
| Subprocessor | Role | Data accessed | Region | Posture / certifications |
|---|---|---|---|---|
| Dodo Payments | Subscription billing, payment processing, tax handling | Account holder email; billing address; tokenized payment instrument (full card data is processed by Dodo Payments and never reaches ROAS.to) | United States and India | PCI-DSS, GDPR DPA |
| Subprocessor | Role | Data accessed | Region | Posture / certifications |
|---|---|---|---|---|
| Meta Platforms, Inc. | Marketing API and Conversions API — receives data only when the Customer instructs the Service to call them on its behalf | Ad account configurations, campaign and ad metadata, audience identifiers, conversion events including SHA-256-hashed contact fields where the Customer elects to send them | United States and global | Meta Platform Terms; Meta is the Customer's controller-of-record for Conversions API events under Meta's Business Tools Terms |
Meta is listed for transparency. Meta is not a sub-processor in the strict GDPR sense — when the Customer instructs the Service to call Meta's Marketing or Conversions API, Meta becomes a separate controller / business-tools recipient under its own terms. Customers using the Conversions API should refer to Meta's Business Tools Terms and Customer Data Processing Terms for their respective relationship with Meta.
We will give Customers at least thirty (30) days' advance notice of any new or replacement Subprocessor by updating this page and (for Customers who have subscribed) by email. Notice may be shorter where reasonably necessary for security, business continuity, or legal compliance.
Subscribe to change notifications: email privacy@roas.to with the subject line "Subscribe to Subprocessor Changes" from the email address on your account. We will add you to the change-notification list.
Customers may object to a new Subprocessor on reasonable data-protection grounds within fifteen (15) days of receipt of notice, and the parties will work in good faith to resolve the objection. If a resolution cannot be reached within thirty (30) days, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience and receive a pro-rata refund of any prepaid, unused fees for that portion. See Section 5 of the DPA.
Questions about this list, requests for transfer-mechanism documentation, or Subprocessor-specific concerns: privacy@roas.to.