Last updated: May 15, 2026.
To deliver the service, ConsentFly engages the subprocessors listed below. Each one has been assessed for security, the existence of contractual data-protection clauses, and the international transfer mechanism where applicable. This page is updated whenever we add or replace a subprocessor.
For details on which data is processed, why, and for how long, see the Privacy Policy. The contractual regime applicable to customers using ConsentFly as a processor is described in the DPA.
Current list
| Subprocessor | Purpose | Location | International transfer |
|---|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DDoS mitigation, and traffic routing. Visitor country/region resolution via the CF-IPCountry header. | USA, with global presence (anycast) | Standard Contractual Clauses (SCC) from the European Commission; ISO 27001 and SOC 2 Type II certified. |
| Vercel Inc. | Hosting for the public consentfly.com site and the dashboard SSR (Next.js). | USA (with EU regions when configured) | Standard Contractual Clauses (SCC) from the European Commission; SOC 2 Type II certified. |
| Railway Corp. | Hosting for the backend (Go/Gin) and the primary PostgreSQL database. | USA (us-west) | Standard Contractual Clauses (SCC) from the European Commission. |
| Resend, Inc. | Transactional email delivery (account verification, password reset, billing alerts). | USA, with infrastructure on AWS | Standard Contractual Clauses (SCC) from the European Commission; AWS is SOC 2 and ISO 27001 certified. |
| AbacatePay | Payment processing, invoice generation, and receipt issuing. | Brazil | Processed within Brazilian territory; direct application of the LGPD without need for an international transfer mechanism. |
| ipapi.co (Kloudend, Inc.) | Visitor country/region resolution from the IP address in environments without Cloudflare (dev/fallback). The IP is sent to the API only at lookup time — it is not persisted by ConsentFly. | USA | Standard Contractual Clauses (SCC) from the European Commission. |
| Google LLC (OAuth Sign-in) | Optional Google Sign-In authentication. We receive only the user ID, verified email, and name from Google — no other Google account data. | USA, with global presence | Standard Contractual Clauses (SCC) from the European Commission; Google operates under various certifications (ISO 27001, SOC 2, ISO 27701). |
| Sentry (Functional Software, Inc.) | Error and exception monitoring on the backend. We apply a PII filter before submission (emails and subject identifiers are stripped from the payload). | USA | Standard Contractual Clauses (SCC) from the European Commission; ISO 27001 and SOC 2 Type II certified. Optional subprocessor — can be disabled on the backend via environment variable. |
Changes to the list
When we add a new subprocessor that processes customer personal data in a processor role, we notify by email with at least 15 days' notice so the customer can evaluate the change. In case of objection, the customer can cancel the subscription without penalty before the new subprocessor goes into production.
Contact
For questions about subprocessors or to receive formal change alerts:
Email: suporte@consentfly.com.br