StreetEat Subprocessors List

Last Updated: January 24, 2026

What is a Subprocessor?

A subprocessor is a third-party service provider that StreetEat engages to process personal data on behalf of vendors and customers. This page lists all subprocessors currently used by StreetEat, along with details about the services they provide, data they process, and their location.

Notification of Changes

StreetEat will provide at least 30 days' advance notice before adding a new subprocessor or making material changes to an existing subprocessor's role. Notifications will be sent via:

Email to your registered vendor email address
In-app notification in the vendor dashboard
Update to this page (with effective date noted in changelog below)

Objecting to Subprocessors:

If you object to a new subprocessor on reasonable data protection grounds, you may submit an objection to privacy@streeteat.com within 15 days of notification. If we cannot accommodate your objection, either party may terminate the agreement with 30 days' notice.

Current Subprocessors

Subprocessor	Category	Services Provided	Data Processed	Data Location
Google LLC Firebase / Google Cloud Platform Critical	Infrastructure & Backend	Database (Firestore) Authentication Cloud storage (files, images) Cloud functions (serverless) App hosting Analytics (optional, consent-based)	All vendor and customer data: - Account information - Menu items - Location data - Transaction records - Uploaded documents - Usage analytics (if consented)	United States (us-central1 region)
Stripe, Inc. Critical	Payment Processing	Subscription billing Payment processing Credit card tokenization Fraud detection Financial reporting	Payment data: - Credit card information (tokenized) - Billing addresses - Payment amounts - Transaction history - Vendor bank account details	United States (PCI DSS Level 1 certified)
Vercel Inc. Critical	Web Hosting & Edge Computing	Web application hosting Edge functions (API endpoints) CDN (content delivery) Rate limiting Request routing	API requests: - IP addresses - User agents - Request headers - API endpoint data - Session tokens	United States (primary) Global CDN edge locations
MapTiler AG Important	Map Services	Map tile rendering Geocoding services Reverse geocoding Location search	Location data: - GPS coordinates - Address searches - Map view coordinates - Zoom levels	Switzerland (GDPR compliant)
Mapbox, Inc. Alternative/Fallback Provider Optional	Map Services (Alternative)	Map tile rendering (fallback) Geocoding services Location services	Location data: - GPS coordinates - Map interactions - Only used if vendor selects Mapbox as preferred provider	United States
SendGrid, Inc. (Planned - Not Yet Active) Future	Email Delivery	Transactional email delivery Marketing emails (opt-in) Email analytics Unsubscribe management	Email data: - Email addresses - Email content - Delivery status - Open/click tracking (opt-in)	United States (Effective: TBD)
Twilio Inc. (Planned - Not Yet Active) Future	SMS Delivery	Transactional SMS Two-factor authentication Order notifications Opt-out management	Phone data: - Phone numbers - SMS content - Delivery status - STOP/HELP responses	United States (Effective: TBD)

Subprocessor Security & Compliance

All subprocessors are required to:

Implement appropriate security measures: Encryption in transit and at rest, access controls, regular security audits
Comply with data protection laws: CCPA, VCDPA, CPA, CTDPA, UCPA, COPPA, CAN-SPAM, TCPA
Sign data processing agreements: Contractually bound to equivalent data protection obligations
Maintain security certifications: SOC 2, ISO 27001, PCI DSS (where applicable)
Provide breach notification: Notify StreetEat within 72 hours of any data breach
Support data subject rights: Assist with access, deletion, and correction requests
Delete data upon termination: Purge all data when subprocessor relationship ends

Data Processing Safeguards

Google Cloud Platform / Firebase

Certifications: SOC 2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1
Security: Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
Location: us-central1 region (Iowa, USA)
Backups: Automated daily backups with geographic redundancy
Access Controls: IAM with least-privilege principle, MFA required

Stripe

Certifications: PCI DSS Level 1 Service Provider, SOC 2 Type II
Security: Credit card data tokenized (never stored by StreetEat)
Compliance: PCI DSS, GDPR, CCPA
Location: United States with global redundancy
Data Minimization: Only necessary payment data shared with Stripe

Vercel

Certifications: SOC 2 Type II
Security: All traffic encrypted (TLS 1.2+), DDoS protection
Edge Network: Global CDN with automatic failover
Logging: Request logs retained for 30 days (for security/debugging)
Rate Limiting: Protects against abuse and data scraping

MapTiler & Mapbox

Data Minimization: Only GPS coordinates and map tiles transmitted
No User Tracking: IP addresses anonymized, no user-specific tracking
HTTPS Only: All map data encrypted in transit
MapTiler: GDPR compliant, based in Switzerland
Mapbox: SOC 2 certified, optional provider

Cross-Border Data Transfers

Most personal data is stored and processed in the United States. Cross-border transfers to Switzerland (MapTiler) are protected by:

Switzerland's adequate data protection determination (recognized by many jurisdictions)
Contractual safeguards in subprocessor agreements
Data minimization (only GPS coordinates, not personal identifiers)
Encryption in transit (TLS 1.2+)

Subprocessor Change Log

Recent Changes

January 24, 2026: Initial subprocessors list published

Added: Google Cloud Platform / Firebase (critical infrastructure)
Added: Stripe (payment processing)
Added: Vercel (web hosting)
Added: MapTiler (map services)
Added: Mapbox (optional map provider)
Planned: SendGrid (email delivery - 30+ days notice before activation)
Planned: Twilio (SMS delivery - 30+ days notice before activation)

Future Changes:

When new subprocessors are added or material changes are made to existing subprocessors, we will update this log with:

Effective date of the change
Subprocessor name and category
Services provided and data processed
Vendor notification date (30 days before effective date)

Contact Information

For questions about subprocessors or to object to a new subprocessor:

Email: privacy@streeteat.com
Subject Line: "Subprocessor Inquiry" or "Subprocessor Objection"
Response Time: Within 5 business days