Argus

Sub-processors

Last updated:

These are the third-party services that process customer data on Argus' behalf. Each one is bound by a Data Processing Agreement under GDPR Article 28. We add a vendor only when it's necessary to run the service, and we publish the change here on the same deploy that brings the vendor online.

If you're a controller (a customer with EU users) and you object to a new sub-processor, contact us at support@argus-profiler.com within 30 days of the change being published here.

  • Render

    Added
    Purpose
    Hosting (web services, Postgres, cron jobs).
    Data categories
    • All customer data — profiling sessions, account info, audit logs, billing records
    Legal entity
    United States (Render Services, Inc.)
    Data residency
    Frankfurt, Germany (eu-central region)
    DPA
    https://render.com/legal/dpa
    Notes
    Argus deploys exclusively in the Frankfurt region; data does not leave the EU under normal operation.

  • Stripe

    Added
    Purpose
    Payment processing for subscription billing.
    Data categories
    • Billing email, organisation name, subscription status, payment method (held by Stripe, not Argus)
    Legal entity
    Ireland (Stripe Payments Europe Ltd.)
    Data residency
    Ireland + United States (PCI-DSS infrastructure)
    DPA
    https://stripe.com/legal/dpa
    Notes
    Customer card details never touch Argus servers — Stripe Checkout collects them directly. Argus only stores Stripe customer IDs and subscription metadata.

  • Resend

    Added
    Purpose
    Transactional email (verification, password reset, billing alerts, audit notifications).
    Data categories
    • Email address, recipient name, message content
    Legal entity
    United States (Resend, Inc.)
    Data residency
    United States
    DPA
    https://resend.com/legal/dpa
    Notes
    Used only for service-related email. No marketing email sends through Resend.

How we evaluate new sub-processors

  1. The vendor must publish a DPA covering GDPR Article 28(3) and SCCs for any data flows leaving the EU.
  2. The processing must be necessary for the service Argus provides; we don't add vendors for nice-to-haves.
  3. Adding the vendor goes through code review on frontend/lib/sub-processors.ts; the deploy that adds the entry here is the same deploy that brings the vendor online in production.