Overview
This page lists the sub-processors that SellStein engages to process personal data on behalf of its customers (Controllers). Each sub-processor is bound by a written agreement that imposes data protection obligations equivalent to those in our Data Processing Agreement (DPA), and where the sub-processor processes personal data outside the EEA, appropriate safeguards (Standard Contractual Clauses or an equivalent transfer mechanism) are in place.
We notify Controllers of intended changes to this list via in-app notification or email at least 30 days before adding a new sub-processor. To object to a new sub-processor, contact support@mail.sellstein.com within that period. If we cannot reach a resolution, you have the right to terminate the affected services.
Sub-processors are grouped by purpose. Some are activated only when you opt into a specific feature or integration.
Current Sub-Processors
Payments and Fraud
| Sub-Processor | Purpose | Data Processed | Location / Transfer Mechanism |
|---|---|---|---|
| Fiserv (CardConnect / ISV) | Card processing and merchant account boarding for SellStein Payments | Merchant identity and business data, bank account details, cardholder and transaction data | United States. PCI DSS Level 1. Bound by contract and Standard Contractual Clauses for transfers. |
| NMI (Network Merchants) | Payment gateway and merchant boarding for SellStein Payments | Merchant identity and business data, bank account details, cardholder and transaction data | United States. PCI DSS Level 1. Bound by contract and Standard Contractual Clauses for transfers. |
| Stripe, Inc. | Card processing and subscription billing (where you connect Stripe) | Cardholder and transaction data, billing contact details | United States. PCI DSS Level 1, SOC 1 & 2. Standard Contractual Clauses for transfers. |
Fiserv (CardConnect / ISV)
Purpose: Card processing and merchant account boarding for SellStein Payments
Data Processed: Merchant identity and business data, bank account details, cardholder and transaction data
Location / Transfer Mechanism: United States. PCI DSS Level 1. Bound by contract and Standard Contractual Clauses for transfers.
NMI (Network Merchants)
Purpose: Payment gateway and merchant boarding for SellStein Payments
Data Processed: Merchant identity and business data, bank account details, cardholder and transaction data
Location / Transfer Mechanism: United States. PCI DSS Level 1. Bound by contract and Standard Contractual Clauses for transfers.
Stripe, Inc.
Purpose: Card processing and subscription billing (where you connect Stripe)
Data Processed: Cardholder and transaction data, billing contact details
Location / Transfer Mechanism: United States. PCI DSS Level 1, SOC 1 & 2. Standard Contractual Clauses for transfers.
Identity Verification (KYC)
| Sub-Processor | Purpose | Data Processed | Location / Transfer Mechanism |
|---|---|---|---|
| Cloudflare Workers AI | In-house identity verification: matching your selfie to your ID document and screening for spoofing | Government-ID document images, selfie and liveness media, processed transiently for the verification decision | Cloudflare global edge. We run this ourselves on Cloudflare Workers AI — no separate identity-verification vendor receives your documents. |
Cloudflare Workers AI
Purpose: In-house identity verification: matching your selfie to your ID document and screening for spoofing
Data Processed: Government-ID document images, selfie and liveness media, processed transiently for the verification decision
Location / Transfer Mechanism: Cloudflare global edge. We run this ourselves on Cloudflare Workers AI — no separate identity-verification vendor receives your documents.
Infrastructure
| Sub-Processor | Purpose | Data Processed | Location / Transfer Mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, edge compute, D1 database, and R2 object storage | All platform data, including encrypted identity and financial data at rest | 300+ global edge locations. ISO 27001, SOC 2 Type II. Standard Contractual Clauses for transfers. |
Cloudflare, Inc.
Purpose: Hosting, CDN, edge compute, D1 database, and R2 object storage
Data Processed: All platform data, including encrypted identity and financial data at rest
Location / Transfer Mechanism: 300+ global edge locations. ISO 27001, SOC 2 Type II. Standard Contractual Clauses for transfers.
Email and Messaging
| Sub-Processor | Purpose | Data Processed | Location / Transfer Mechanism |
|---|---|---|---|
| Twilio Inc. (SendGrid) | Transactional and notification email delivery | Recipient email addresses and email content | United States. SOC 2 Type II. Standard Contractual Clauses for transfers. |
Twilio Inc. (SendGrid)
Purpose: Transactional and notification email delivery
Data Processed: Recipient email addresses and email content
Location / Transfer Mechanism: United States. SOC 2 Type II. Standard Contractual Clauses for transfers.
How to Object
To object to a sub-processor or request a copy of executed Standard Contractual Clauses, email support@mail.sellstein.com. Pending resolution, you may suspend processing or terminate the relevant service in your dashboard.