Subprocessors
Last updated: 2026-04-27
WAVE Online, LLC engages third-party service providers (subprocessors) to process Customer Personal Data on our behalf. This list is incorporated by reference into our Data Processing Agreement (DPA).
Notification of changes
WAVE provides at least 30 days' prior notice of new subprocessors via email to designated contacts and a posted update on this page. Customers with applicable agreements may object to a new subprocessor on reasonable grounds within 14 days of notice; if the objection cannot be resolved, you may terminate the affected services with pro-rata refund.
To receive subprocessor-change notifications, email dpa-updates@wave.online with the subject “Subscribe to subprocessor updates.”
Current subprocessors
| Subprocessor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Managed PostgreSQL + Auth | US | DPA + SOC 2 |
| Vercel | Application hosting | Global edge | DPA + SOC 2 |
| Cloudflare | CDN + WAF + DDoS protection | Global | DPA + SOC 2 + ISO 27001 |
| Cloudflare R2 | Object storage for media | US/EU/APAC regions | DPA + SOC 2 |
| Upstash | Redis (rate limit + cache) | US/EU regions | DPA + SOC 2 |
| Mux | Video infrastructure | US | DPA + SOC 2 |
| LiveKit | WebRTC SFU + recording | US/EU regions | DPA + SOC 2 |
| Stripe | Payment processing + Connect | US (with regional routing) | DPA + PCI DSS Level 1 |
| Bridge (Stripe) | Stablecoin / USD orchestration | US | DPA + MTL |
| Privy | Wallet infrastructure | US | DPA + SOC 2 |
| Twilio | SMS + Voice + RCS | US (regional carriers) | DPA + SOC 2 + carrier agreements |
| Resend | Transactional email | US | DPA + SOC 2 |
| Slack (notifications) | Internal alerts only — no customer data | US | DPA + SOC 2 |
| Anthropic | Claude API for AI features | US | DPA + BAA available + SOC 2 |
| OpenAI | GPT API for AI features (selected workloads) | US | DPA + SOC 2 + zero retention option |
| Deepgram | Real-time speech-to-text | US | DPA + SOC 2 |
| ElevenLabs | Voice synthesis | US | DPA + SOC 2 |
| Sentry | Error tracking + performance monitoring | US | DPA + SOC 2 + ISO 27001 |
| Dash0 | OpenTelemetry observability | EU (Frankfurt) | DPA + SOC 2 |
| Grafana Cloud | Metrics + dashboards | US/EU | DPA + SOC 2 |
| PhotoDNA (Microsoft) | CSAM hash matching | US | BAA + SOC 2 |
| PostHog | Product analytics + feature flags | US/EU regions | DPA + SOC 2 |
| Intercom | Customer support messaging | US/EU regions | DPA + SOC 2 |
| Persona | KYC / identity verification (Connect creators) | US | DPA + SOC 2 + GLBA |
International data transfers
For transfers from the EU/UK to the US (or other jurisdictions without an adequacy decision), WAVE relies on the EU Standard Contractual Clauses (Module 2 — Controller to Processor) incorporated into our DPA, supplemented by a Transfer Impact Assessment per the Schrems II decision.
Healthcare customers (HIPAA)
For Customers under a Business Associate Agreement, WAVE only routes Protected Health Information through subprocessors that have signed BAAs with WAVE. The BAA-eligible subprocessor list is a subset of the above; see your BAA for the current list.