Legal
Subprocessors
Last updated: 9 May 2026
DEC ehf. uses the sub-processors below to provide the Stokk service. Each is bound by a written agreement that imposes data-protection obligations no less protective than those in our Data Processing Addendum.
We will give at least 30 days’ notice on this page (and, where you have subscribed to the notification list, by email) before adding or replacing a sub-processor. To subscribe to changes, email privacy@stokkflow.com.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Managed database (Postgres), authentication and object storage. | All Customer Data and Personal Data stored in the Stokk service, including loyalty enrollee details and pass identifiers. | EU (Ireland) by default. Underlying infrastructure on AWS. |
| Vercel | Application hosting and edge delivery for the Stokk web app and APIs. | Request metadata, IP address, and any Personal Data transiting requests in flight. No persistent storage of Customer Data. | Global edge network; primary compute in EU regions where configured. |
| Anthropic, PBC | Large language model (Claude API) used to draft the Monday Morning Brief, supplier evaluations and other AI outputs. | Prompts containing summary information about suppliers, SKUs, sales and stock. Prompts are scoped per request and are not used to train shared models. | United States (transfers under Standard Contractual Clauses). |
| Apple Inc. | Apple Wallet pass delivery and updates via the Apple Push Notification service (APNs). | Pass payload, pass serial number, and the device push token issued by APNs for the device that installed the pass. | United States (transfers under Standard Contractual Clauses). |
| Google LLC | Google Wallet pass issuance and updates. | Pass class and object identifiers, pass content and the device identifier returned by Google Wallet for the saved pass. | United States (transfers under Standard Contractual Clauses). |
| Resend, Inc. | Transactional email delivery (loyalty pass distribution, account notifications). | Recipient email address, sender, message metadata and message body, including any links or attachments we generate. | United States (transfers under Standard Contractual Clauses). |
Notes
- The retailer’s own ERP (DK Plus, NetSuite, Microsoft Dynamics or Business Central) is the customer’s own system, not a sub-processor of DEC ehf.. We connect to it under your authorisation and on your instructions.
- Where any sub-processor is located outside the EEA, Iceland or the UK, transfers are made under the EU Standard Contractual Clauses (Module 3 where applicable) and equivalent UK transfer mechanisms.
Changelog
- v1 — 2026-05-09: initial publication.