Skip to content

Last updated: June 18, 2026

ScrambleSync Sub-processors

The third parties ScrambleSync engages to process personal data on the Customer's behalf to provide the service. This page is the canonical, public version of Section 8 of our DPA.

As of June 18, 2026. ScrambleSync engages the sub-processors listed below. We give Customers at least 30 days' prior notice before adding or replacing a sub-processor, and Customers may object on reasonable, good-faith data-protection grounds within that window.

Authorization

The Customer (tournament organizer) provides general written authorization for ScrambleSync to engage the sub-processors listed below to process personal data to provide the service. This page restates, and is kept consistent with, Section 8 of the [Data Processing Agreement](/legal/dpa) and Section 9 of the Privacy Policy; where this page and the DPA differ, the DPA controls.

ScrambleSync imposes data-protection obligations on each sub-processor that are no less protective than those in the DPA, and remains liable to the Customer for each sub-processor's performance.

Current sub-processors

  • Supabase — PostgreSQL database, authentication, RLS, real-time, and file storage. Receives all personal-data categories (no card data). Location: AWS us-west-1. Automated daily backups; point-in-time recovery available but not enabled.
  • Stripe — payment processing, checkout, settlement. Receives payment amount/currency, session and payment-intent IDs, product descriptions, and customer email if captured. Handles all card data directly (PCI-DSS Level 1; ScrambleSync is SAQ-A). Location: Stripe global infrastructure.
  • Resend — transactional email delivery. Receives recipient email and name, event/course/team names, codes, and links. Location: Resend global infrastructure (GDPR-compliant). Optional: if email is not configured, sending is silently skipped.
  • Cloudflare — CDN, DNS proxy, DDoS protection, TLS termination, edge caching. Receives HTTP request metadata (IP, user agent, referrer, path). Location: global edge network.
  • Sentry — error and performance monitoring. Receives stack traces, request context (request ID, user ID, URL), exception details, and breadcrumbs. Location: Sentry.io SaaS (United States).
  • Upstash — distributed rate limiting and optional circuit-breaker/cache state (Redis). Receives ephemeral rate-limit counters (IP + window state). Location: managed Redis (us-east-1 default; configurable). No long-term personal data at rest.
  • DigitalOcean — application hosting (App Platform) and log capture. Receives application logs (pseudonymized) and organizer-set environment variables. Location: per deployment config (default us-west).
  • Anthropic, PBC — powers the optional Scramble AI assistant (off by default; engaged only when the assistant is enabled and in use). Receives the content of the organizer's request and the scoped data needed to fulfill it. Inputs and outputs submitted through Anthropic's commercial API are not used to train Anthropic's models; content may be retained briefly only for safety/abuse monitoring, not training. Location: United States.

No external APM / tracing sub-processor today

Distributed tracing and external metrics export are not currently enabled — a custom OpenTelemetry pipeline was removed for stability and has not been re-introduced — so no trace/metric data is sent to any external APM provider today. If such a provider is later added, it will be listed here under the same 30-day change notice.

Change notice & objection

ScrambleSync will give the Customer at least 30 days' prior notice before adding or replacing a sub-processor (by email and/or in-product notice). The Customer may object on reasonable, good-faith data-protection grounds within that 30-day window. The parties will work in good faith to resolve the objection; if it cannot be resolved, the Customer may terminate the affected portion of the service as its sole remedy, without penalty for the unused, prepaid period.

To request the current sub-processor list, a counter-signed DPA, or the incorporated Standard Contractual Clauses, contact [email protected] with the subject line “DPA Request — [Your Organization Name]”.

This page reflects ScrambleSync's actual sub-processors as of the date shown and is kept consistent with Section 8 of the DPA. The binding terms are those of the DPA and the Terms of Service. ScrambleSync is operated by Coyote Valley Technology Solutions, LLC, 9011 N Clubhouse Lane, Eagle Mountain, UT 84005, USA.