Subprocessors
A subprocessor is a third-party service we use to operate exchangerate.dev, each processing some category of data on our behalf under a data-processing agreement (or equivalent contractual protection). This page is the canonical list; our Terms of Service and Privacy Policy reference it rather than re-listing every vendor, so we can change providers without amending those documents.
Current subprocessors
| Service | Purpose | Data handled | Region | Privacy policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, invoicing, customer portal | Billing metadata (subscription status, last 4 of payment method), email, customer + subscription identifiers | US (PCI-DSS Level 1) | stripe.com/privacy |
| Supabase, Inc. | Primary Postgres database and authentication | Account data, API key hashes, usage metadata (no card data; no personal data in rate records) | US | supabase.com/privacy |
| Fly.io, Inc. | API hosting (stateless), plus self-hosted Redis for rate-limit counters | Request logs (IP, endpoint, status), ephemeral rate-limit counters keyed by org or IP | US-East (IAD) / global | fly.io/legal/privacy-policy |
| Cloudflare, Inc. | CDN, DNS, TLS termination, WAF / DDoS protection in front of the API | IP addresses, request headers, request metadata | Global edge network | cloudflare.com/privacypolicy |
| Vercel, Inc. | Marketing site, documentation, and dashboard hosting | Request logs (IP, endpoint, status), build outputs | Global edge (primary: US-East / IAD) | vercel.com/legal/privacy-policy |
| Sentry, Inc. | Error tracking and performance monitoring | Error stack traces, user agent, IP address at error time, redacted request metadata | US | sentry.io/privacy |
| Resend, Inc. | Transactional email delivery (account, billing, security notices) | Email address, message subject + body, delivery metadata | US | resend.com/legal/privacy-policy |
Reference data sources
The following public institutions are not subprocessors in the data-protection sense — we send them no personal data. They are the public reference layers behind the daily rates the Service returns:
- European Central Bank (ECB) — daily euro foreign-exchange reference rates (public reference data).
- U.S. Federal Reserve — H.10 foreign-exchange reference rates, accessed via FRED (public reference data).
Live (intraday and weekend) rates are computed from aggregated market data and are indicative, developer-grade reference values — not official, bank-grade, or settlement rates. Consistent with our Terms of Service, the Service describes this market data generically and returns the source field as a generic class rather than naming any individual venue.
Changes to this list
We maintain this list as providers change. Material changes are reflected here without requiring a separate Terms revision. Questions about a specific subprocessor: support@exchangerate.dev.