Subprocessors
Third-party vendors that process personal data for Fauxto Labs
Last updated: September 2025
About This List
This page lists third-party vendors that process personal data for us as "processors." We publish it for transparency and to meet GDPR/CPRA expectations. We'll notify users before adding a new subprocessor where required, and update this page when anything changes.
How to Object or Ask Questions
Email [email protected] with subject "Subprocessor Inquiry". If you're an enterprise customer with a DPA, we'll follow the notice terms in your contract.
Current Subprocessors
| Vendor | Purpose | Data Categories | Region | Transfer Mechanism |
|---|---|---|---|---|
Amazon Web Services (S3, CloudFront) | Storage and delivery of user uploads, generated media, backups | Media files, filenames, object metadata, user IDs in paths, logs | US | n/a (US storage) or SCCs if cross‑border |
Render | Backend hosting | IP addresses, request logs, limited account identifiers in server logs | US | SCCs if cross‑border |
Cloudflare | DNS, CDN, WAF, bot protection | IP addresses, request metadata | Global with chosen colo | SCCs |
Auth0 | Authentication, session handling | Email, name, auth identifiers, tokens | US/EU | SCCs |
Stripe | Payments | Billing identifiers, tokenized payment info, last4, billing address | US/EU | SCCs |
FAL.ai | AI inference for image/video/audio | Prompts, generation params, uploaded refs, outputs | US/EU | SCCs |
Note: We restrict processors to least‑privilege access and bind them with DPAs and confidentiality agreements.
Retention Overview
- Media and models: retained until user deletes or account closes; backups purge in 30–45 days
- Logs: 30–90 days, unless needed for security
- Billing records: per tax law
Planned Changes
None at this time. We'll post additions here at least 30 days before activation when contractually required.
Questions about subprocessors?
Contact us at [email protected]