Subprocessor List
Consumer Dividends Holding Corp
Last updated: June 14, 2026
This list identifies the third-party service providers ("subprocessors") that may process customer personal data on behalf of Consumer Dividends Holding Corp. We publish it so that customers, their counsel, and their compliance teams can evaluate our supply chain. Updates are reflected in the "Last updated" date and, for material changes, emailed to active customers and Agency tier contacts at least 30 days before they take effect.
Active subprocessors
| Provider | Purpose | Data processed | Region | Compliance |
|---|---|---|---|---|
| Railway | Application hosting (Numidian, ListingPro) | All inputs and outputs during processing; access codes; usage logs | United States | SOC 2 alignment; encryption in transit and at rest |
| Supabase | Database backing for ListingPro | Property inputs, generated outputs, account references | United States | SOC 2 Type II; GDPR-aligned |
| PostgreSQL on Railway | Database backing for Numidian | Case inputs, generated outputs, access codes, case history | United States | Same as Railway above |
| Cloudflare | DNS, CDN, edge security for consumerdividends.com and product subdomains | IP address, request paths, security logs | Global edge; primary US | SOC 2 Type II; ISO 27001; GDPR-aligned; DPA available |
| Stripe | Payment processing, subscription management, billing | Cardholder data (Stripe-tokenized, not stored by us), customer email, transaction history | United States and other regions per Stripe | PCI DSS Level 1; SOC 1, SOC 2; GDPR-aligned |
| OpenAI (via API) | Language model inference for Numidian and ListingPro outputs | Inputs submitted at runtime; not retained for training under our API agreement | United States | SOC 2 Type II; GDPR-aligned; zero-retention API option in use |
| Google Workspace | Operational email (support@, andreys@, admin@consumerdividends.com) | Email content sent to or from us | United States | SOC 1/2/3; ISO 27001/27017/27018; GDPR-aligned |
| GitHub | Source code hosting | No customer personal data | United States | SOC 2 Type II |
Notes on scope
OpenAI: Inputs you submit to Numidian or ListingPro are sent to OpenAI for the duration needed to generate your output. Under our API agreement with OpenAI, those inputs are not used to train OpenAI's models and are not retained beyond 30 days for abuse-monitoring purposes (and zero retention where requested for specific endpoints). We have configured our integration to minimize retention to the extent OpenAI supports.
Railway and Cloudflare: handle infrastructure and edge security. They have access to network metadata (IP addresses, request paths) but not to the contents of your inputs or outputs except as data passes through their networks in transit.
Stripe: receives payment information directly through Stripe's secure checkout. We do not store full payment card data on our systems. We receive payment confirmation events and customer identifiers from Stripe.
Changes
We may add or replace subprocessors. Material changes are communicated by:
- Updating this page (date and content).
- Emailing active customers and Agency tier contacts at least 30 days before the change takes effect.
- Where required by a Data Processing Addendum signed with a customer, separate notice as specified in that addendum.
Customers may object to a new subprocessor on reasonable grounds. If we cannot resolve the objection, the customer may terminate the affected service and receive a pro-rata refund.
Questions
support@consumerdividends.com