Data processing transparencyDPAs/SCCs on requestPre-change notifications
Subprocessors
Last updated: 8 Dec 2025Vendors that process data on behalf of Lumioh. We minimize scope, apply least-privilege access, and post changes before activation.
Current and planned vendors
Posted before activation; scoped to minimum necessary data.
| Name | Purpose | Data categories | Region | Notes |
|---|---|---|---|---|
Supabase | Database, auth, storage, edge functions, transactional email | Customer records, auth metadata, files/uploads, operational logs, email addresses and templates | Primary region (Supabase PoP) | Encryption at rest/in transit; row-level security; backups; least-privilege access; transactional emails sent via Supabase. |
Firebase Hosting | Front-end hosting for customer-facing apps | Static assets, configuration, minimal runtime logs (transient) | Global | Serves the front-end; no customer data persisted beyond transient logs. |
Cloudflare | CDN, edge security (WAF), API route protection, TLS termination | App content, metadata for requests (transient), cache contents | Global | Firewalling and DDoS protection; minimal data retention; cache purges on deploys. |
Stripe | Billing, subscriptions, payments | Billing contacts, payment tokens, subscription metadata | Global | Card data tokenized; Stripe is PCI compliant; used for paid plans and upgrades. |
Sentry | Error, performance, and stability monitoring | Runtime errors, stack traces, minimal request metadata (no payloads by design) | Global | Scoped to operational telemetry; PII exclusion filters enabled; used for uptime and performance tracking. |
Status page provider | Public status, incident communications, and notifications | Service availability summaries, incident notes | Global | Will power /status plus RSS/email alerts once live. |
How we manage subprocessors
Principles for adding, reviewing, and notifying changes.
We keep a single source of truth for subprocessors; changes are logged and dated.
Vendors are scoped to the minimum data needed; sensitive data stays in core data stores.
DPAs/SCCs are executed where required; data residency options will be noted when available.
We notify customers before onboarding new vendors that process customer data.
Trust, AI, and status
Deeper detail on controls and uptime.
Get notified
Subscribe to changes when status goes live.
We will expose RSS/email/webhook subscriptions from the status page for subprocessor and incident updates.
Request early accessRequest details
Need DPAs, SCCs, or vendor scopes?
Contact privacy@lumioh.com for DPA/SCC copies or vendor security summaries.
How often is this list updated?
We update it when a vendor is added, removed, or materially changes scope. New vendors are posted before activation.
How do you assess vendors?
Security reviews, DPAs/SCCs as applicable, least-privilege access, and data minimization. High-impact vendors require approval.
Can I get a DPA or security package?
Email privacy@lumioh.com or security@lumioh.com to request our DPA and security materials.
Where can I see uptime and incidents?
Visit /status for availability and incident history once live. We will also expose RSS/email/webhook subscriptions there.