Legal
Subprocessors
- Effective:
- 17 May 2026
- Last updated:
- 17 May 2026
In short: These are the third-party services Cavaliq uses to deliver the platform. Each is bound by written terms equivalent to those in our Data Processing Addendum. We give clubs 10 days' notice before adding a new subprocessor.
Cavaliq engages the following subprocessors to deliver the platform. Each entity processes the categories of data described below on our behalf, under written contractual terms equivalent to those in our Data Processing Addendum.
We’ll give Clubs at least 10 days’ notice before adding or replacing a subprocessor by emailing the billing contact and updating this page. Clubs can object on reasonable data protection grounds — see section 6 of the DPA.
Current subprocessors
| Provider | Service | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Clerk | Identity and authentication | Account identifiers, email, sign-in timestamps, IP address | United States | Contractual safeguards equivalent to EU SCCs |
| Neon (Postgres) | Primary application database | All Club Personal Data not handled by a payment processor — accounts, bookings, riders, horses (medical fields encrypted at rest) | United States (region selectable; current production: US-East) | Contractual safeguards equivalent to EU SCCs; encryption at rest |
| Cloudflare | Edge hosting, CDN, DDoS protection, Workers runtime, R2 object storage | Request metadata, IP address, browser fingerprint; uploaded files in R2 | Global edge — request served from nearest data centre | Contractual safeguards equivalent to EU SCCs |
| Resend | Transactional email delivery | Recipient email, name, email content (booking confirmations, receipts, alerts) | United States and EU | Contractual safeguards equivalent to EU SCCs |
| Sentry | Error monitoring and performance tracing | Crash stack traces, performance traces, sanitised request metadata. Form values, tokens, and passwords are stripped before send. | United States (us.sentry.io) | Contractual safeguards equivalent to EU SCCs |
| Stripe | Payment processing for clubs that connect Stripe | Card data flows directly from the rider browser to Stripe. Cavaliq receives only tokens and references. Stripe also processes its own card-network data for fraud and compliance. | United States, EU | Stripe's published cross-border transfer safeguards (SCCs) |
| Ziina | Payment processing for clubs that connect Ziina | Payment tokens, transaction references | United Arab Emirates | Domestic processing within the UAE |
| Network International (N-Genius) | Card payment processing for clubs that connect N-Genius | Payment tokens, transaction references | United Arab Emirates | Domestic processing within the UAE |
| Ably | Real-time messaging for in-app updates | Channel identifiers, IP address, ephemeral message payloads | EU and US data centres | Contractual safeguards equivalent to EU SCCs |
| Upstash | Rate limiting and ephemeral cache (Redis) | IP address, request fingerprint, short-lived counters | Global low-latency replicas | Contractual safeguards equivalent to EU SCCs |
A note on payment processors
Stripe, Ziina, and Network International are listed here for transparency, but their role differs from a typical subprocessor. When a rider pays for a lesson, the card or wallet data flows directly from the rider’s browser to the processor — Cavaliq never sees the card details. The processor acts as a separate, independent controller of the cardholder’s payment data under its own terms. Cavaliq only receives the tokens and references needed to record the transaction.
Subscribe to changes
If you want to be notified of every change to this list (in addition to the in-product notice to your Club’s billing contact), email info@cavaliq.com and we’ll add you to a change-notification list.