Sub-processors
MyShift uses the following sub-processors to deliver the service. This list is published per revFADP Art 19 (Switzerland) and GDPR Art 28 (EU customers).
Last updated: 2026-05-10 (Pass 76g — DPF cross-check + indirect-sub-processor disclosure). Customers receive 30-day prior notice of material sub-processor changes via the email address on file (manual notification at v1; RSS feed planned for v1.5+).
| Vendor | Purpose | Jurisdiction | Legal basis / safeguard |
|---|---|---|---|
| Vercel (Phase A only) | Web hosting | US/EU | DPA + SCC |
| Supabase (Phase A only) | Managed backend (Auth, DB, Storage, Realtime) | US/EU | DPA + SCC |
| Infomaniak (Phase B) | Self-host platform (K8s + Postgres + S3) | CH | DPA |
| Stripe | Payments (CHF Billing + Tax) | US / Ireland | DPA + SCC + EU-US/UK/Swiss-US DPF (active, participant 6436) |
| Resend | Transactional + magic-link email | US | DPA + SCC + EU-US/UK DPF (active; Swiss-US not asserted by Resend, transfers covered by SCC) |
| Sentry | Server-side error tracking (browser SDK disabled at Phase A) | US | DPA (v5.1.0, 2024-05-29 — stale, re-verify before Sprint 8) + SCC + EU-US/UK/Swiss-US DPF (active, participant 5869) |
| Infomaniak Network SA | Domain registrar (my-shift.ch) | CH | DPA (already covers Phase B hosting per same vendor) |
| Plausible | Analytics (cookieless, no PII; landing only) | EE (EU) | DPA |
| Expo (EAS) | Mobile build infrastructure | US | DPA + SCC |
| Bunny CDN (Phase B) | Content delivery network | SI (EU) | DPA, EU adequacy |
| Twilio | SMS (manager invitations, no-show alerts, critical security only) | US | DPA + SCC |
| Apple Inc. | Push notifications (APNs; mobile only) | US | Restricted-purpose token-only; no DPF certification (APNs is OS-level; no PII payload) |
| Google LLC | Push notifications (FCM; mobile only) | US | Restricted-purpose token-only + EU-US/UK/Swiss-US DPF (active, participant 5780) |
| GitHub Inc. | Source-code hosting + CI runners (commit metadata, build artefacts, repo secrets); no MyShift tenant PII | US | DPA + SCC + EU-US/UK/Swiss-US DPF (active per docs.github.com/en/site-policy/privacy-policies/global-privacy-practices, eff. 2026-04-27, fetched 2026-05-11); DPA at github.com/customer-terms/github-data-protection-agreement; tenant data does not flow through GitHub Actions |
Indirect sub-processors (informational)
The vendors above contract their own infrastructure providers (sub-sub-processors). MyShift has no direct contractual relationship with these underlying providers, but data flows transitively. We disclose them here per revFADP Art 19 + GDPR Art 28(2) transparency principles.
| Direct vendor | Underlying provider(s) | Source |
|---|---|---|
| Resend | Amazon Web Services Inc. (US) — primary email-sending host | resend.com/legal/subprocessors (fetched 2026-05-10) |
| Sentry | Amazon Web Services Inc. (US/EU), Google Cloud Platform (US/EU), Cloudflare Inc. (US) — cloud infrastructure | sentry.io/legal/subprocessors/ (fetched 2026-05-10) |
| Stripe | Amazon Web Services Inc. (US) + Amazon Internet Services Pvt Ltd (India) — cloud infrastructure | stripe.com/legal/service-providers (fetched 2026-05-10) |
| Twilio | Amazon Web Services, Google Cloud, Microsoft Azure — cloud infrastructure | www.twilio.com/en-us/legal/sub-processors (fetched 2026-05-10) |
| Vercel | Amazon Web Services, Google Cloud, Microsoft Azure — cloud infrastructure | security.vercel.com (fetched 2026-05-10) |
| Plausible | Hetzner Online GmbH (DE) — primary EU hosting; UpCloud Ltd (FI), Bunny.net (SI) — secondary EU | plausible.io/privacy (fetched 2026-05-10) |
Phase A vs Phase B
MyShift is currently in Phase A on Vercel + Supabase Cloud Frankfurt for pilot use. Phase B is the commercial-launch target on Infomaniak Geneva (Swiss data residency). At Phase B cutover, Vercel + Supabase Cloud rows are replaced by Infomaniak. All other sub-processors are unchanged across phases.
Contact
Questions about sub-processors or data-protection requests: privacy@my-shift.ch.