Third-party services that process data as part of ForgeStop's NFC authentication platform.
ForgeStop provides 15 days advance written notice before engaging any new sub-processor. Clients may object within 15 days on reasonable data protection grounds. To subscribe to notifications, contact help@forgestop.com.
The following third-party services are currently authorised to process data in connection with ForgeStop's platform. All are subject to data protection obligations no less protective than ForgeStop's Data Processing Agreement.
| Sub-processor | Location | Processing Activities | Assurance |
|---|---|---|---|
| Amazon Web Services (AWS) | United States | Cloud infrastructure: compute (App Runner), relational database (RDS PostgreSQL), object storage (S3), secrets management (Secrets Manager), identity and access management (Cognito), content delivery (CloudFront), web application firewall (WAF), encryption key management (KMS), monitoring (CloudWatch, CloudTrail). | SOC 2 Type II, ISO 27001, PCI DSS, FIPS 140-2 Level 3 (KMS) |
| MongoDB Atlas | United States | NoSQL database for analytics data and audit logs. VPC-peered to ForgeStop AWS infrastructure — all traffic over private network, no public internet. Point-in-time recovery with 35-day snapshot retention. | SOC 2 Type II, ISO 27001 |
| Stripe Inc. | United States | Payment processing for subscription billing. Tokenised — ForgeStop does not receive or store raw card data. | PCI DSS Level 1 |
| Zoho Corporation | India / United States | Alternative payment processing, CRM (ForgeStop operational metadata only — no client personal data). | SOC 2 Type II available |
| New Relic | United States | Application performance monitoring (APM). Receives application telemetry, error tracking, and performance metrics. No client personal data transmitted. | SOC 2 Type II, ISO 27001 |
| Mapbox | United States | Geospatial visualization for scan location analytics on the Dashboard. Receives anonymised scan coordinate data for map rendering. | SOC 2 Type II |
| IPStack / PositionStack | Austria / United States | Geolocation API services for scan location resolution. Receives IP-derived approximate location data during authentication events. | Privacy policy available |
| Google reCAPTCHA | United States | Bot protection for product authentication pages. Receives browser interaction signals for bot detection. No personal data shared. | Google SOC 2 Type II, ISO 27001 |
| Regional Implementation Partners | Per Statement of Work | On-site Batchmaker device installation, NFC production line integration, and initial configuration at client facilities. | NDA + ForgeStop subcontractor security approval |
All client data resides on ForgeStop-owned infrastructure: RDS PostgreSQL (primary database) and MongoDB Atlas (analytics/audit — VPC-peered to ForgeStop AWS, private network only). Sub-processors such as Stripe and Zoho process only ForgeStop's own subscription billing data (tokenised). New Relic receives application telemetry only. Mapbox and IPStack/PositionStack receive anonymised scan coordinates. Regional implementation partners have physical access to Batchmaker hardware during installation only — they do not access client data through ForgeStop systems.
ForgeStop's primary hosting region is us-east-1 (US East — N. Virginia). Disaster recovery state replication to us-west-2 (US West — Oregon). Specific region information is available upon request. Data residency in other regions may be available as a custom enterprise arrangement.
AWS, Stripe, Zoho, MongoDB Atlas, New Relic, Mapbox, IPStack/PositionStack, and Google reCAPTCHA are standard platform-level service providers used across all client engagements. They are disclosed in this Sub-processor List and in the DPA (Annex 2) at contract signing. Per the DPA §6.2, these providers are exempt from the 15-day per-engagement client notification requirement. Regional Implementation Partners and any future vendors with direct client data access require notification.
| Date | Change |
|---|---|
| March 2026 | Initial publication. Four sub-processors: AWS, Stripe, Zoho, Regional Implementation Partners. |
| March 2026 (v1.1) | Expanded per CTO review: added MongoDB Atlas, New Relic, Mapbox, IPStack/PositionStack, Google reCAPTCHA. AWS details expanded. Total: 9 sub-processors. |
← Back to Legal · Data Processing Agreement · Version 1.1 · Last updated: March 2026
.png)
.svg){kind=icon}
.svg){kind=icon}
.svg){kind=icon}
.svg){kind=icon}