DRAFT — NOT LEGAL ADVICE — counsel must review before go-live
Magic Sites Sub-processors
Last updated: 2026-04-23
Jurisdiction / governing law: [STATE TBD BY COUNSEL]
Counsel TODO:
- Confirm this is the full ship-list at retail launch. Add / remove per actual deploy.
- Confirm each sub-processor’s DPA is signed and on file (Cloudflare, Stripe, WorkOS, Resend, PostHog).
- Confirm EU/UK transfer mechanism per provider (all five publish SCCs; verify current URLs).
- Confirm region-selection knobs — e.g., PostHog EU vs US project, Cloudflare data-localization Suite if used.
- Confirm whether we should list Workers AI / Gemini (Google) as an AI sub-processor where applicable.
- Confirm sub-processor notification: email list + RSS/webpage mechanism, 30-day default (from DPA §6).
Overview
Magic Sites uses the sub-processors listed below to operate the Service. Each sub-processor has contractual commitments aligned with the DPA (dpa.md). AMS gives at least 30 days’ advance notice of additions or replacements per DPA §6.
Sub-processor table
| # | Sub-processor | Purpose | Data categories transferred | Processing location(s) | Transfer mechanism / DPA | Security posture reference |
|---|---|---|---|---|---|---|
| 1 | Cloudflare, Inc. | Hosting, CDN, DNS, edge compute (Workers), storage (R2, KV, D1), email routing, zero-trust. | Account identifiers, Customer Content, site visitor IP/request metadata, logs. | US (global edge; data-at-rest primarily US with regional options). | Cloudflare DPA with SCCs + UK Addendum. | SOC 2 Type II, ISO 27001, PCI DSS, FedRAMP Moderate, GDPR. |
| 2 | Stripe, Inc. | Payment processing, subscription billing, tax, invoicing. | Billing name/address, email, payment-method metadata (PAN stored by Stripe only), transaction data, tax IDs. | US and processing regions per card network. | Stripe DPA with SCCs + UK IDTA. | PCI DSS Level 1, SOC 1 + SOC 2 Type II, ISO 27001, GDPR. |
| 3 | WorkOS, Inc. | Authentication, SSO, SCIM, AuthKit session management. | Account email, name, SSO identifiers, session tokens, MFA factors, audit logs. | US. | WorkOS DPA with SCCs. | SOC 2 Type II, ISO 27001, HIPAA-ready, GDPR. |
| 4 | Resend, Inc. | Transactional email delivery, bounce/complaint handling. | Recipient email, sender metadata, email content (per Customer instructions), delivery events. | US. | Resend DPA with SCCs. | SOC 2 Type II, GDPR. |
| 5 | PostHog, Inc. | Product analytics, session replay (opt-in), feature flags, error tracking. | Pseudonymous user IDs, event properties, device/browser metadata, IP (truncated where feasible). | EU project (Frankfurt) and/or US project depending on customer region. | PostHog DPA with SCCs + UK Addendum. | SOC 2 Type II, ISO 27001, GDPR, HIPAA BAA available. |
Notes
- “Processing location” reflects primary region; global CDN providers (Cloudflare) may cache at edge locations worldwide per routing logic.
- AMS does not currently use third-party AI providers (OpenAI, Anthropic) for the Service. AI features rely on Cloudflare Workers AI and
[Google Gemini — COUNSEL CONFIRM INCLUSION]. - AMS does not sell, share (as defined by CPRA), or use Personal Data for cross-context behavioral advertising with any sub-processor.
Subscribing to changes
To receive notice of sub-processor changes, email privacy@auramediastudios.com with the subject “Subscribe: sub-processor updates”. We also publish changes on this page with an updated date.
Contact
privacy@auramediastudios.com