Privacy Policy

Overview

GDPR Article 28(2) requires us, as your processor, to list every sub-processor we engage. This page is that list. We update it on material changes and notify active merchants by email at least 30 days before adding any new sub-processor.

Each sub-processor below has either signed a Data Processing Addendum with us or publishes standard contractual clauses we rely on.

Core infrastructure

Sub-processor	Purpose	Location	Certifications inherited
Vercel Inc. vercel.com	Hosting the KAK Edge dashboards and APIs	USA (multi-region edge)	SOC 2 Type II, ISO 27001, HIPAA BAA available
Supabase Inc. supabase.com	Per-tenant isolated database (one project per merchant). Stores dashboard data, tracker events, order mirrors, hashed PII.	USA (default) or Frankfurt EU on request	SOC 2 Type II, GDPR DPA
Cloudflare Inc. cloudflare.com	DNS, TLS termination, DDoS protection	Global CDN	SOC 2 Type II, ISO 27001

Communications & billing

Sub-processor	Purpose	Location	Certifications
Stripe Inc. stripe.com	Subscription billing and payment processing	USA	PCI DSS Level 1, SOC 2 Type II
Resend Inc. resend.com	Transactional email delivery (magic links, lifecycle reminders, deletion certificates)	USA	SOC 2 Type II, GDPR DPA
Inngest Inc. inngest.com	Background job orchestration (tenant provisioning, 17-step pipeline, deletion lifecycle)	USA	SOC 2 Type II
Upstash Inc. upstash.com	Rate-limiting and caching (Redis)	USA (multi-region)	SOC 2 Type II

Third-party integrations (on Customer's instructions)

The following are not sub-processors of KAK strictly speaking — Customer authorises KAK to connect and exchange data with them on Customer's behalf. We list them here for transparency.

Service	Data exchanged
Meta Platforms, Inc. (Facebook, Instagram)	SHA-256 hashed shopper identifiers + conversion events via Conversions API, on Customer's Meta ad account
Shopify Inc.	Shopify Admin API access to Customer's shop: products, orders, customers (read + webhooks, per Customer's granted scopes)

Operational tooling (no merchant data)

Tools we use internally that do NOT process merchant Personal Data but are listed for full transparency:

Service	Purpose
GitHub, Inc.	Source-code hosting (no customer data in repos)
Google Workspace	KAK team email (`hello@kakedge.com`, `grievance@kakedge.com`, etc.)
1Password	Internal credential management

Notification of changes

If we add a new sub-processor that will process Personal Data:

We update this page with the new entry and a dated "Last updated"
We email all active merchants 30 days before onboarding begins
You may object on reasonable data-protection grounds by replying to that email; if we can't resolve, you have the right to terminate and claim a prorated refund

Questions

Email hello@kakedge.com or grievance@kakedge.com.