Sub-Processors

List of third parties that may process customer or merchant data on behalf of Chainmore OÜ. Maintained pursuant to GDPR Article 28(2). Updated when a sub-processor is added or replaced; merchants may subscribe to change notifications via support@chainmore.io.

Pre-launch posture: ChainMore is currently in product-readiness mode and does not yet onboard production merchants. The list below reflects the sub-processors used for our public-facing infrastructure today. The list will expand as we add merchant-data-processing services for production. Merchants will be notified before any new sub-processor begins processing their data, with a 14-day window to object before the change takes effect.

Active sub-processors

These are the sub-processors that may currently process customer, merchant, or public-site visitor data on behalf of Chainmore OÜ. As of the date below, exactly one sub-processor is active.

Sub-processor	Purpose	Data category	Region	Transfer mechanism
Netlify, Inc.	Static hosting and CDN for the public marketing site (`chainmore.io`), its public legal pages, and the public waitlist form handler. ChainMore does not send production merchant dashboard, gateway, internal-operations, or end-customer payment data to Netlify.	Website visitor logs (IP address, user-agent, requested URL) and waitlist form submissions (work email address plus technical form metadata).	United States	EU-US Data Privacy Framework where active for the relevant entity, EU SCCs Module 2 as fallback. DPF status verified at each annual review.

Categories of sub-processors not yet engaged

ChainMore has not yet activated production hosting for the merchant dashboard, gateway, or identity provider. As soon as a sub-processor is selected for any of the categories below, the Processor will give merchants 14 calendar days' written notice (with the full vendor row added to the active list) before that sub-processor begins processing personal data.

The categories below are forward-looking statements about the operating model the Processor intends to build. They are not commitments to any specific vendor.

Category	Function the Processor expects to outsource	Region preference	Mitigations before activation
Production hosting	Compute and managed-service hosting for the merchant dashboard, gateway API, and identity provider.	EU preferred (Frankfurt or equivalent)	At-rest encryption confirmed in the chosen provider's terms, GDPR-compliant DPA executed, SCCs Module 2 attached for any non-EEA fallback.
Transactional email	Outbound merchant emails: account verification, password reset, webhook-delivery alerts.	EU preferred	DKIM, SPF, DMARC alignment under `chainmore.io`, bounce-and-suppression handling enabled, audit trail of dispatched messages retained.
Error tracking	Frontend and backend exception tracking for incident response.	EU preferred	Server-side PII scrubbing configured before any event leaves Processor infrastructure, scrubbing rule-set reviewed annually.
Operational database	Primary OLTP database for merchant data, gateway state, and audit-log storage.	EU preferred	At-rest encryption, TLS in transit, point-in-time recovery enabled.

What we don't use

For transparency, ChainMore explicitly does not use the following classes of services on customer-facing surfaces:

Behavioural advertising or retargeting trackers (Google Ads, Meta Pixel, etc.).
Third-party web-analytics tools that use tracking cookies (Google Analytics, Adobe Analytics, etc.). If we add analytics later, it will be a privacy-preserving option (Plausible, Fathom, or similar) and will appear on this list.
Customer-data brokers, data-enrichment services, or lead-scoring vendors.
Chat widgets that load third-party scripts on the marketing site.

Sub-processor change notification

Per GDPR Article 28(2), ChainMore will give merchants prior written notice of any intended changes to this list. Notice mechanism, once production merchants are onboarded:

Email to the merchant's primary contact at least 14 days before the new sub-processor begins processing.
Update to this page on the same day the email is sent.
An announcement in the merchant dashboard's status banner for at least 7 days after the change takes effect.

Merchants may object to a new sub-processor in writing within the 14-day window. If we cannot accommodate the objection (for example, the sub-processor is on a critical infrastructure path), the merchant may terminate the agreement without penalty.

How to verify this page is current

The page footer carries a "Last updated" date. The canonical URL is https://chainmore.io/legal/sub-processors.html. The Processor maintains an internal change-log alongside the source-of-truth annex; controllers receive a copy as part of their DPA pack and are notified of any change before it takes effect.

Last updated: April 2026 · Questions: support@chainmore.io