HarborIQ — GDPR Art. 28

Sub-processors & DPA pack

Last reviewed: 13 May 2026

The following third parties may process personal data on HarborIQ's behalf. Each is bound by a Data Processing Agreement (DPA) and, for transfers outside the EEA, by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF). Use the links below to access each provider's current legal documents.

1. Supabase
EU — Ireland
Managed Postgres database, authentication, file storage
- DPA: https://supabase.com/downloads/docs/Supabase+DPA+250314.pdf
- Privacy Policy: https://supabase.com/privacy
- Sub-processors: https://supabase.com/security/sub-processors
2. Amazon Web Services
EU — Ireland
Underlying cloud infrastructure (eu-west-1, Ireland)
- DPA: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
- Privacy Notice: https://aws.amazon.com/privacy/
- GDPR Center: https://aws.amazon.com/compliance/gdpr-center/
3. Lovable
EU + global edge
Application hosting & global CDN for static assets
- DPA: https://lovable.dev/dpa
- Privacy Policy: https://lovable.dev/privacy
4. Google LLC
USA — SCCs / DPF
OAuth identity (only if you Sign in with Google)
- Processor Terms: https://business.safety.google/processorterms/
- Privacy Policy: https://policies.google.com/privacy
- DPF Certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI
5. Apple Inc.
USA — SCCs / DPF
OAuth identity (only if you Sign in with Apple)
- Developer Agreement: https://developer.apple.com/terms/
- Privacy Policy: https://www.apple.com/legal/privacy/
- Sign in with Apple: https://developer.apple.com/sign-in-with-apple/

1. Supabase

2. Amazon Web Services

3. Lovable

4. Google LLC

5. Apple Inc.