TrailTrack by Boardrooms to Backroads
Template — review with legal counsel. This document is a starting point and must be reviewed and adapted by a qualified attorney for your jurisdiction(s) before you rely on it.

Subprocessors

Last updated: 22 June 2026

To provide TrailTrack (the “Service”), Boardrooms to Backroads Consulting LLC (“B2BC”, “we”, “us”) engages a small number of trusted third parties to Process Personal Data on our behalf. A “Subprocessor” is any such third party that we engage to Process Personal Data contained in Customer Content in connection with the Service. This page is published for transparency and supplements our Data Processing Addendum and our Privacy Policy. It is a template intended to be reviewed with legal counsel and kept current.

With respect to Customer Content, the Customer is the Controller and B2BC is the Processor; our Subprocessors act on our instructions under written terms. The list below is illustrative of our current arrangements and is subject to change as the Service evolves.

1. Current Subprocessors

The following Subprocessors are engaged for all or most Customers as part of the core infrastructure of the Service:

  • Supabase — managed Postgres database, authentication, and file storage. Data categories: substantially all Customer Content and account data, including User identification and contact data, authentication data, tasks, comments, documents, and uploaded files.
  • Vercel — application hosting and content delivery network (CDN). Data categories: HTTP request, usage, and log data (such as IP addresses, device and browser metadata, and requested URLs) processed to serve and accelerate the application.
  • Stripe — payment and subscription processing. Data categories: billing and payment data, such as the billing contact, subscription details, and the payment-method and transaction information handled by Stripe as a payment processor.
  • Resend — transactional and notification email delivery. Data categories: recipient email addresses and the contents of transactional messages (such as invitations, notifications, and security or account emails).

2. Conditional, Customer-enabled Subprocessors

The following Subprocessors are engaged only if the Customer or a User chooses to enable the related feature or integration. If the feature is not turned on, no Personal Data is shared with these providers:

  • The Customer’s chosen AI provider under bring-your-own-key (“BYOK”) — for example Anthropic, OpenAI, Google, xAI, or Mistral. These providers are engaged only when the Customer enables AI features and supplies its own API key. Data categories: the prompts and the relevant Content the Customer submits for AI Processing, sent under the Customer’s own account and key and subject to the chosen provider’s terms.
  • User-connected integrations — for example Google, Microsoft, Slack, and other services a User connects to the Service. These providers are engaged only when a User authorises the connection. Data categories: the data exchanged with that service to enable the integration the User has chosen (such as calendar events, profile and sign-in data, or messages), limited to what the integration requires.

3. How we vet Subprocessors

Before engaging a Subprocessor that Processes Personal Data, we assess whether the provider offers appropriate security and data-protection commitments suitable to the nature of the Processing. We engage Subprocessors under written terms that impose data-protection obligations substantially equivalent to those in our Data Processing Addendum, and we limit the data shared with each provider to what is necessary for its function. We remain responsible to the Customer for the performance of our Subprocessors’ obligations.

4. Notice of new Subprocessors and how to object

When we intend to add or replace a Subprocessor that Processes Personal Data, we will provide a mechanism for affected Customers to be informed before, or promptly after, the change takes effect, so that the Customer has an opportunity to object on reasonable data-protection grounds. If a Customer reasonably objects and we cannot address the objection, the Customer may, as its sole remedy, discontinue the affected portion of the Service in accordance with the Terms of Service and the Data Processing Addendum. To raise an objection, contact us at the address in Section 7.

5. International transfers

Several of our Subprocessors operate in the United States and may Process Personal Data there or in other countries. Where a Subprocessor Processes Personal Data subject to cross-border transfer restrictions, we rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, an adequacy decision, or another lawful safeguard, as described in our Data Processing Addendum. Provider locations and the applicable safeguards are described there and may be supplemented by [EU/UK representative] particulars where required.

6. Updates to this list

We may update this list from time to time to reflect changes in our Subprocessors. The “Last updated” date above indicates when the list was last revised. This list is illustrative and subject to change; we endeavour to keep it accurate and current, but the absence of a particular provider here does not by itself create any commitment.

7. Contact

Questions about our Subprocessors, or objections to a new Subprocessor, may be directed to privacy@boardroomstobackroads.com or to our data-protection contact at dpo@boardroomstobackroads.com. For more detail on our security practices, see the Security Overview.

TrailTrack is a product of Boardrooms to Backroads Consulting LLC. Patent pending.