This page lists the third parties (“subprocessors”) that process personal information on behalf of IVERIFI, LLC d/b/a SpitShake. Together with our Data Processing Addendum, this page forms the Annex III subprocessor list required by GDPR Article 28(2).Documentation Index
Fetch the complete documentation index at: https://docs.spitshake.io/llms.txt
Use this file to discover all available pages before exploring further.
Change notice
We will give Tenants at least 30 days’ advance notice before adding a new subprocessor or changing an existing one’s scope. Notices will be posted on this page. If you are an enterprise Tenant and object to a new subprocessor on reasonable grounds, contact dpo@spitshake.io — we will work with you in good faith to find an alternative or, failing that, give you a pro-rata refund for the affected period.Current subprocessors
| Provider | Role | Region | Data categories received |
|---|---|---|---|
| Railway | Application hosting, managed PostgreSQL, managed Redis | United States | All processed data transits the application layer; database stores encrypted-at-rest PII, document metadata, and audit records. |
| AWS (S3) or Cloudflare R2 | Encrypted document object storage | United States | Signed documents, thumbnails. Documents are client-side encrypted before upload; storage provider sees ciphertext only. |
| Stripe | Payments processing (tenant billing); Stripe Identity (optional identity verification for signers, per-tenant opt-in) | United States; Ireland (EU processing region where applicable) | Billing identifiers, card information (tokenized by Stripe), billing addresses. For Stripe Identity: signer-provided government ID and selfie, handled under Stripe’s own terms. |
| Resend | Transactional email delivery (invitations, reminders, completion notices) | United States | Recipient email, sender name, subject line, message body. |
| Sentry | Application error monitoring | United States (self-hosted EU option on enterprise) | Stack traces with PII-scrubbing rules applied; truncated user-agent; IP hash. |
| PostHog | Product analytics for the tenant administrator console only | United States (self-hosted EU option available) | Admin click events and session context. Not enabled on signer-facing signing pages. |
| Cloudflare (if configured) | CDN, DDoS protection, WAF | Global edge | In-transit data only; no persistent storage of personal information. |
Corporate family
IVERIFI, LLC is wholly owned by ADS CORP, our ultimate parent company. Limited data may be shared with ADS CORP for corporate governance, finance, and internal audit purposes under the corporate-family exemption to standard third-party sharing restrictions. ADS CORP is not a subprocessor in the GDPR Article 28 sense — it is an upstream affiliate disclosed here for transparency.How to stay updated
- Tenants: notices of subprocessor changes are posted here at least 30 days in advance. We recommend bookmarking this page and reviewing it quarterly. Email notification for enterprise tenants can be arranged through your account contact.
- Signers: if the tenant you signed with has questions about subprocessors, they should follow the tenant-facing notice process above.
Questions
Contact dpo@spitshake.io.Service provided by IVERIFI, LLC d/b/a SpitShake (a Connecticut limited liability company wholly owned by ADS CORP). Last updated: 2026-04-19.