/* VALDEX — Subprocessors */ const UPDATED_SP = "May 18, 2026"; function SubprocessorsPage() { return (

A subprocessor is a third party that processes personal data on our behalf. This page lists every subprocessor VALDEX LLC{" "} uses to run the business — what data they touch, where they are, what safeguards apply for international transfers, and which certifications they hold.

The list is part of our Data Processing Addendum. When we add or replace a subprocessor that processes client personal data, we publish the change here and notify affected clients at least 30 days{" "} in advance.

} sections={[ { id: "list", h: "1. Current subprocessors", body: (

Subprocessor	Service provided	Personal data processed	Region of processing	Safeguards for transfers from EU/UK	Security certifications
Stripe, Inc. Privacy	Invoicing and card processing	Client billing contact, invoice line items, payment-method token (Stripe holds the card number, not Valdex)	United States; EU sub-infrastructure for EU customers	EU–U.S. Data Privacy Framework certified; Standard Contractual Clauses	PCI DSS Level 1; SOC 1, SOC 2 Type II; ISO 27001
Google LLC (Google Workspace) Workspace DPA	Business email, Drive (documents), Calendar, Meet, admin logs	Email contents, document contents, calendar events, contact records, attachments	United States; configurable EU data region	EU–U.S. Data Privacy Framework certified; Standard Contractual Clauses; UK IDTA	ISO 27001, 27017, 27018; SOC 1, SOC 2, SOC 3
1Password (AgileBits Inc.) Privacy	Credential vault for engagement credentials	Account holder name, account holder email; credentials are end-to-end encrypted and unreadable by 1Password	Canada	Adequacy decision: Canada is an adequate country under the GDPR; transfers do not require SCCs	SOC 2 Type II; ISO 27001, 27017, 27018
Plausible Analytics (Plausible Insights OÜ) DPA	Cookieless web analytics for valdexai.com	Page URL, referrer, country, device class; no cookies; no cross-site tracking; no individual identifiers	European Union (Germany; Hetzner)	Data does not leave the EU. No transfer mechanism needed.	GDPR-compliant by design (no personal data persisted)
Cloudflare, Inc. Privacy	DNS, edge caching, DDoS protection, bot management for valdexai.com	IP address, request metadata; transient bot-management cookie (`__cf_bm`)	Global edge; closest available data center to the visitor	EU–U.S. Data Privacy Framework certified; Standard Contractual Clauses	ISO 27001, 27018; SOC 2 Type II; PCI DSS Level 1; FedRAMP Moderate
unpkg / Cloudflare Privacy	Public CDN serving React, ReactDOM, and Babel runtime to visitors' browsers	IP address, user-agent, requested resource	Global Cloudflare edge	EU–U.S. Data Privacy Framework certified; Standard Contractual Clauses	Same as Cloudflare above
Bunny.net (BunnyWay d.o.o.) Privacy	Web font CDN (Bunny Fonts) — privacy-respecting Google Fonts alternative	IP address (used to route to nearest edge; not persisted by Bunny Fonts)	European Union (Slovenia)	Data does not leave the EU for EU visitors. SCCs for non-EU transfers.	ISO 27001 in progress (as of 2026)

)}, { id: "advisors", h: "2. Professional advisors", body: (

The following are not subprocessors in the GDPR sense (they are independent controllers of any data we share with them) but we list them for transparency:

Advisor	Role	Data typically shared	Region
External CPA	Bookkeeping, tax filing	Invoices, financial records	United States
External counsel	Legal review, contract negotiation	Whatever is necessary for the specific matter	United States
Liability insurer	Professional indemnity / cyber-liability cover	Aggregate engagement and risk information; no client PI absent a claim	United States

)}, { id: "clientside", h: "3. Client-authorized platforms", body: (

During an engagement we access platforms you have authorized us to use on your behalf (e.g. Google Analytics, your CRM, your CMS, ad accounts on Meta / Google / LinkedIn / X / TikTok, Slack workspaces). These are your systems and your relationships, not our subprocessors. The data inside them is processed under your existing agreements with those providers. We follow your access policy and the least-privilege principle described in our trust & security{" "} page.

)}, { id: "changes", h: "4. Change-notification commitment", body: (

When we add a new subprocessor that will process client personal data:

We update this page first, with the new entry and an effective date.
Affected clients are notified by email at least 30 days before the new subprocessor begins processing — sooner where required by the client's specific DPA.
Clients may object on reasonable grounds. If we cannot accommodate the objection (e.g. the subprocessor is foundational), we will work in good faith on a path forward — including, in the limit, allowing the client to terminate the affected engagement without penalty for the remaining notice period.

You can subscribe to subprocessor-change notifications by emailing{" "} privacy@valdexai.com{" "} with the subject "Subprocessor notifications" — we will add you to the announcement list. The list is used only for this purpose.

)}, { id: "removed", h: "5. Recently removed subprocessors", body: (

None at the time of this revision. We will list providers we have stopped using in this section, with the date of removal, so the list has a history.

)}, { id: "contact", h: "6. Contact", body: (

Questions about a specific subprocessor, or a request for evidence of safeguards:

VALDEX LLC
Attn: Privacy
1309 Coffeen Ave, Ste 1200
Sheridan, WY 82801, United States
privacy@valdexai.com

)}, ]} /> ); } ReactDOM.createRoot(document.getElementById("root")).render();