To deliver a fast, intelligent, and secure experience, Macha uses a small set of carefully vetted third-party service providers — known as sub-processors — to help process your data.
Each sub-processor is contractually bound by Data Processing Agreements (DPAs) and must meet strict security and privacy standards.
List of Sub-Processors
| Provider | Purpose | Data Location | Security Measures |
|---|---|---|---|
| Supabase | Stores embeddings (e.g., Shopify, macros) | Frankfurt, Germany | AES-256 encryption, SOC2 pending |
| MongoDB | Stores Macha app configurations | Frankfurt, Germany | Encrypted fields, used only for internal settings |
| DigitalOcean | Hosting platform for Macha | Frankfurt, Germany | Secure infrastructure, ISO/IEC 27001 |
| OpenAI | Powers generative AI responses | United States | SCCs, EU-U.S. Data Privacy Framework |
| Stripe | Payment processing | APAC | PCI-DSS Level 1, full tokenization |
These vendors do not access your data unless explicitly required for service delivery — and always under encrypted, logged, and permissioned conditions.
How We Choose Our Sub-Processors
Before onboarding a sub-processor, we evaluate:
-
Security certifications (e.g., SOC2, ISO)
-
Data residency compliance
-
Auditability and breach history
-
DPA agreements and lawful transfer mechanisms
We continuously monitor these providers and update contracts as needed to stay compliant with evolving privacy laws.
Cross-Border Data Transfers
When data must leave the EU (e.g., to OpenAI in the U.S.), we use:
-
Standard Contractual Clauses (SCCs)
-
EU-U.S. Data Privacy Framework, when applicable
This ensures legal compliance and continued protection of personal data, even when processed abroad.
Want to Know More?
If you'd like detailed documentation or need a signed DPA with Macha, email us at support@getmacha.com.