Subprocessors
Last updated: June 7, 2026
Subprocessors
Effective date: June 7, 2026
To deliver Troja, operated by FounderGem LLC, we engage a small number of trusted third-party subprocessors that process personal data on our behalf. This page lists our current subprocessors as required by our Data Processing Addendum and Privacy Policy. Questions: support@troja.dev.
Current subprocessors
| Subprocessor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase | Managed Postgres database and authentication; stores accounts and scan results | USA / EU | Email, hashed credentials, session tokens, submitted URLs, scan results |
| Stripe | Payment processing, subscription billing, and fraud prevention | USA | Name, email, billing metadata, payment tokens, transaction history |
| Railway | Application hosting and compute for the Service and scan engine | USA | Application data in transit, logs, submitted URLs during processing |
| Cloudflare | DNS, CDN, and web application firewall (WAF) | USA | IP addresses, request metadata, security/bot-mitigation signals |
| Resend | Transactional email delivery (receipts, scan alerts, account notices) | USA | Email address, message content, delivery metadata |
Notes on the table
- Supabase is our system of record. Personal data and scan results are stored in Postgres with access controls and encryption in transit.
- Stripe handles all card data directly; raw card numbers never reach Troja's servers.
- Railway runs our application and scan workloads; data is processed transiently during scans.
- Cloudflare sits in front of the Service to provide security and performance.
- Resend (our transactional email provider; Postmark may be used as a backup provider) sends operational emails. We do not use it for unsolicited marketing.
How we manage subprocessors
Before engaging a subprocessor, we assess its security and privacy posture and put in place a data-processing agreement with terms no less protective than our own DPA. Each subprocessor is limited to the data necessary for its function.
International transfers
Some subprocessors process data in the United States. Where personal data of EU/EEA or UK individuals is transferred, we rely on Standard Contractual Clauses or equivalent safeguards.
Changes and notifications
We may add or replace subprocessors as the Service evolves. When we make material changes to this list, we will update this page and, where required by the DPA, notify affected customers so they can review or object on reasonable grounds.
To subscribe to subprocessor-change notifications or to raise an objection, email support@troja.dev.