Legal
Sub-processors
Genorah Labs engages third-party service providers ("sub-processors") to assist in delivering our services. These sub-processors may process personal data on our behalf in accordance with our instructions and applicable data protection laws, including GDPR Article 28 and Indonesian PP No. 71/2019.
All sub-processors are bound by Data Processing Agreements (DPAs) that require them to:
- Process personal data only on our documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Notify us promptly of any personal data breaches
- Assist us in responding to data subject rights requests
- Return or delete all personal data upon termination of services
- Submit to audits and inspections as required by GDPR Article 28(3)(h)
Where sub-processors are located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, primarily through Standard Contractual Clauses (SCCs) approved by the European Commission.
Current sub-processors
| Sub-processor | Purpose | Location | Data types | Safeguards |
|---|---|---|---|---|
| Supabase | Database, authentication, and backend infrastructure | United States (AWS us-east-1) | Account data, Project data, Authentication credentials | Standard Contractual Clauses (SCCs), SOC 2 Type II, AES-256 encryption |
| Netlify | Web hosting, CDN, and edge functions | United States / Global CDN | Website content, Access logs, Form submissions | SOC 2 Type II, TLS 1.3, DPA in place |
| Google Cloud Platform (GCP) | Cloud infrastructure, analytics, and AI services | Singapore, United States, Taiwan | Analytics data, Cloud workload data, AI processing inputs | SCCs, ISO 27001, SOC 2/3, encryption at rest and in transit |
| Google Analytics | Website usage analytics and performance monitoring | United States | Usage data, Device info, IP address (anonymized) | IP anonymization enabled, SCCs, data retention 26 months |
| Resend | Transactional and marketing email delivery | United States | Email addresses, Message content, Delivery metadata | SOC 2 Type II, TLS encryption, DPA in place |
| Stripe | Payment processing and billing | United States / Ireland (EU customers) | Payment card tokens, Billing addresses, Transaction records | PCI-DSS Level 1, SCCs, AES-256 encryption |
| Slack Technologies (Salesforce) | Internal communication and client collaboration | United States | Messages, Files, User profiles | SOC 2 Type II, SOC 3, ISO 27001, encryption at rest |
| Notion Labs | Documentation, knowledge base, and project management | United States | Documents, Project notes, User activity | SOC 2 Type II, AES-256 encryption, DPA in place |
| Figma | UI/UX design and prototyping | United States | Design files, Comments, User profiles | SOC 2 Type II, ISO 27001, encryption in transit and at rest |
| GitHub (Microsoft) | Source code hosting and version control | United States | Source code, Issue tracking, CI/CD metadata | SOC 2 Type II, ISO 27001, encryption at rest |
| Cloudflare | DNS, DDoS protection, and edge security | Global | DNS queries, Traffic metadata, Security logs | SOC 2 Type II, TLS 1.3, DPA in place |
| 1Password | Password and secrets management | United States / Canada | Encrypted credentials, Access logs | SOC 2 Type II, end-to-end encryption, zero-knowledge architecture |
Changes to sub-processors
We review our sub-processor list regularly. If we add or replace a sub-processor that processes personal data, we will notify affected clients via email at least 30 days in advance, where required by our Data Processing Agreement or applicable law.
Clients may object to a new sub-processor by contacting our Data Protection Officer within 14 days of notification. If we cannot address your concerns, you may terminate the affected services without penalty, subject to the terms of your service agreement.
Questions about this policy?
Our legal team is here to help. Reach out for any privacy, compliance, or legal inquiries.
Office
Jakarta, Indonesia
Response Time
Ack: 3×24h / Fulfill: 14 days
Office Hours
Mon–Fri, 09:00–18:00 WIB