Legal document
Sub-processors
Effective 13 May 2026ABN 49 452 393 782Caltury (sole trader, Australia)
Caltury uses the following sub-processors to deliver the Service. We choose providers carefully, contract with them on data-protection terms, and document the data flows. This list is published openly so you can satisfy your own due-diligence requirements.
We will provide written notice to account holders at least 30 days before adding a new sub-processor. If you object on reasonable compliance grounds, contact us at support@caltury.com.au.
Current sub-processors
| Provider | Role | Data | Location |
|---|---|---|---|
| Supabase, Inc. | Managed Postgres database, authentication, file storage | All Caltury application data including org, user, customer and AML/CTF records | Sydney, Australia (ap-southeast-2) |
| Vercel, Inc. | Application hosting and edge delivery | HTTP request metadata only. No persistent storage of customer records. | Sydney, Australia (Sydney pinned via Pro region) |
| Stripe, Inc. | Subscription billing and identity verification (Stripe Identity) | Billing details + identity document images, names, DOB, residential addresses when KYC is initiated | United States (with EU/AU regional infrastructure) |
| OpenSanctions / OCCRP | Sanctions and PEP screening API | Customer name and (optionally) date of birth, country | Germany (EU) |
| Anthropic, PBC | Text generation for structured SMR narrative drafting; you review every line before finalising | Structured SMR intake (excluding raw ID documents); risk-assessment responses | United States |
| Resend, Inc. | Transactional email delivery (sign-up confirmations, KYC links) | Recipient email addresses and message bodies | Asia-Pac (Tokyo) |
| Sentry (Functional Software, Inc.) | Application error monitoring | Stack traces and request metadata. PII scrubbed at SDK level. | United States |
| Cloudflare, Inc. | DNS authority + privacy-friendly Web Analytics | Aggregate page-view counts, country, browser/OS. NO cookies, NO individual user tracking, NO personally identifiable information. | Global edge network (anycast) |
| Microsoft Corporation (Clarity) | Session replay + heatmaps on marketing surfaces only (caltury.com.au public pages, sign-up + sign-in flows). NOT loaded on /dashboard, /onboarding, /r/, /c/ or any authenticated route. | Anonymous session recordings of clicks, scrolls and rage-clicks on marketing pages. Input field values masked by default (passwords, emails, ABNs never recorded). IP truncated by Clarity at collection. Used only to diagnose drop-off on the sign-up funnel. | United States (Microsoft Azure) |
Supabase, Inc.
- Role
- Managed Postgres database, authentication, file storage
- Data
- All Caltury application data including org, user, customer and AML/CTF records
- Location
- Sydney, Australia (ap-southeast-2)
Vercel, Inc.
- Role
- Application hosting and edge delivery
- Data
- HTTP request metadata only. No persistent storage of customer records.
- Location
- Sydney, Australia (Sydney pinned via Pro region)
Stripe, Inc.
- Role
- Subscription billing and identity verification (Stripe Identity)
- Data
- Billing details + identity document images, names, DOB, residential addresses when KYC is initiated
- Location
- United States (with EU/AU regional infrastructure)
OpenSanctions / OCCRP
- Role
- Sanctions and PEP screening API
- Data
- Customer name and (optionally) date of birth, country
- Location
- Germany (EU)
Anthropic, PBC
- Role
- Text generation for structured SMR narrative drafting; you review every line before finalising
- Data
- Structured SMR intake (excluding raw ID documents); risk-assessment responses
- Location
- United States
Resend, Inc.
- Role
- Transactional email delivery (sign-up confirmations, KYC links)
- Data
- Recipient email addresses and message bodies
- Location
- Asia-Pac (Tokyo)
Sentry (Functional Software, Inc.)
- Role
- Application error monitoring
- Data
- Stack traces and request metadata. PII scrubbed at SDK level.
- Location
- United States
Cloudflare, Inc.
- Role
- DNS authority + privacy-friendly Web Analytics
- Data
- Aggregate page-view counts, country, browser/OS. NO cookies, NO individual user tracking, NO personally identifiable information.
- Location
- Global edge network (anycast)
Microsoft Corporation (Clarity)
- Role
- Session replay + heatmaps on marketing surfaces only (caltury.com.au public pages, sign-up + sign-in flows). NOT loaded on /dashboard, /onboarding, /r/, /c/ or any authenticated route.
- Data
- Anonymous session recordings of clicks, scrolls and rage-clicks on marketing pages. Input field values masked by default (passwords, emails, ABNs never recorded). IP truncated by Clarity at collection. Used only to diagnose drop-off on the sign-up funnel.
- Location
- United States (Microsoft Azure)
Notes on overseas disclosures
Disclosures to overseas sub-processors are made under APP 8.1. We have taken reasonable steps to ensure each overseas recipient handles the information in a way consistent with the Australian Privacy Principles (e.g. by entering data-processing agreements and verifying their own privacy and security frameworks).
Last reviewed: 13 May 2026. Material changes are notified to account holders by email.
Note. This document is a starting point reviewed against the Australian Privacy Act, Australian Consumer Law and standard SaaS practice. It is not legal advice for your business. If you need to vary these terms, contact support@caltury.com.au.