Subprocessors
Last Updated: January 2026
Introduction
To provide the Vastyn platform, we engage third-party service providers ("subprocessors") who may process personal data on our behalf. This page lists our current subprocessors in accordance with GDPR Article 28.
We carefully select subprocessors that maintain high security and privacy standards. All subprocessors are contractually bound to protect your data.
What is a Subprocessor?
A subprocessor is a third-party company that processes personal data on behalf of Vastyn to help us deliver our services. They only process data according to our instructions and are subject to strict contractual obligations.
Current Subprocessors
Infrastructure & Hosting
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, data storage | All platform data | UK (London), EU (Frankfurt), US (as applicable to user region) |
AWS Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS Level 1
Payment Processing
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Payment processing, billing | Name, email, payment card details, billing address | UK, EU, US (as applicable) |
Stripe Certifications: PCI DSS Level 1
Note: Payment card details are processed directly by Stripe. Vastyn does not store your full card number.
Email Services
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon SES (Simple Email Service) | Transactional email delivery | Email address, name, email content | User's region (UK/EU/US) |
Transactional emails include: account notifications, order alerts, password resets, and system notifications.
Analytics
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Analytics | Website usage analytics | IP address (anonymised), device info, pages visited | US (with EU data processing) |
Note: We use IP anonymisation. No personal information from your Vastyn account is sent to Google Analytics.
Marketplace Integrations
When you connect marketplace accounts, data flows between Vastyn and those platforms. These are not subprocessors — they are third-party services you authorise directly.
| Platform | Data Exchanged | Their Privacy Policy |
|---|---|---|
| Amazon | Orders, inventory, listings, buyer info | Amazon Privacy Policy |
| eBay | Orders, inventory, listings, buyer info | eBay Privacy Policy |
| Shopify | Orders, inventory, products, customers | Shopify Privacy Policy |
| WooCommerce | Orders, inventory, products, customers | Self-hosted (your responsibility) |
| TikTok Shop | Orders, inventory, listings | TikTok Privacy Policy |
| Etsy | Orders, inventory, listings | Etsy Privacy Policy |
| Other marketplaces | Orders, inventory, listings | See respective platform policies |
You control which marketplaces you connect. Vastyn accesses marketplace data via official APIs with your authorisation.
Data Location Summary
We ensure your data stays in your region:
| Your Region | Primary Data Location | Subprocessors in Region |
|---|---|---|
| United Kingdom | AWS London (eu-west-2) | AWS, Stripe UK |
| European Union | AWS Frankfurt (eu-central-1) | AWS, Stripe EU |
| United States | AWS US regions | AWS, Stripe US |
International transfers: Where subprocessors are based outside your region (e.g., Google Analytics), appropriate safeguards are in place including Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs).
Subprocessor Requirements
All our subprocessors must:
- Sign a Data Processing Agreement (DPA)
- Implement appropriate technical and organisational security measures
- Only process data according to our documented instructions
- Ensure personnel are bound by confidentiality
- Assist with data subject rights requests
- Delete or return data upon termination
- Allow for audits and inspections
- Notify us of any security incidents
Changes to Subprocessors
Notification of Changes
We may update our subprocessors from time to time. When we add or change a subprocessor:
- We will update this page
- We will update the "Last Updated" date
- For material changes, we will notify customers via email at least 30 days in advance
Subscribe to Updates
To be notified of subprocessor changes, contact us at hello@vastyn.com to join our notification list.
Objection Rights
Under GDPR, you may object to a new subprocessor. If you have concerns about a subprocessor change:
- Contact us at hello@vastyn.com within 30 days of notification
- We will discuss your concerns and explore alternatives
- If we cannot resolve the objection, you may terminate your account
Previous Subprocessors
We maintain records of previous subprocessors for transparency:
| Subprocessor | Purpose | Removed Date | Reason |
|---|---|---|---|
| None yet | — | — | — |
Data Processing Agreement
Business customers may require a formal Data Processing Agreement (DPA) for their compliance records.
To request a DPA:
- Email: hello@vastyn.com
- Subject: "DPA Request"
- Include: Your company name and Vastyn account email
We will provide a signed DPA within 5 business days. You can also view our DPA template.
Frequently Asked Questions
Why do you use subprocessors?
Subprocessors provide specialised services (hosting, payments, email) that would be impractical for us to build ourselves. Using established providers like AWS and Stripe means you benefit from their enterprise-grade security and reliability.
Is my data safe with these subprocessors?
Yes. We only work with subprocessors that meet strict security standards. AWS and Stripe, for example, maintain the highest industry certifications (ISO 27001, SOC 2, PCI DSS).
Can I opt out of certain subprocessors?
Our core subprocessors (AWS, Stripe, AWS SES) are essential to provide the service. Analytics (Google Analytics) can be disabled via cookie preferences. Marketplace connections are entirely optional — you choose which to connect.
Where can I find subprocessor privacy policies?
| Subprocessor | Privacy Policy |
|---|---|
| AWS | aws.amazon.com/privacy |
| Stripe | stripe.com/privacy |
| policies.google.com/privacy |
Will you notify me of changes?
Yes. Material changes to subprocessors will be notified via email at least 30 days in advance. This page is always kept up to date.
Contact Us
If you have questions about our subprocessors or data processing:
Email: hello@vastyn.com
Post:
Versatile Commerce Ltd
Maritime House, Discovery Quay
Falmouth, Cornwall
TR11 3XA
United Kingdom
Document Information
| Field | Value |
|---|---|
| Document: | Subprocessor List |
| Controller: | Versatile Commerce Ltd |
| Company Number: | 10984996 |
| ICO Registration: | 00019463104 |
| Last Updated: | January 2026 |
| Review Frequency: | Upon any subprocessor change |