Sub-processors
Last updated: 2026-04-28
MIR uses a small set of sub-processors to deliver the service. Each sub-processor is bound by a written contract that imposes data protection obligations equivalent to the obligations MIR owes its customers under its DPA. We notify customers in advance of any change to this list.
Notification of changes: We give customers at least 30 days' written notice (via email to the customer's billing or admin contact, and via update to this page) before adding or replacing a sub-processor. Customers may object to a new sub-processor within that window. If MIR cannot accommodate the objection, the customer may terminate the affected services without penalty.
1. Sub-processor list
| Sub-processor | Purpose | Data categories processed | Region(s) |
|---|---|---|---|
| DigitalOcean, LLC DPA |
Cloud infrastructure: compute (Droplets), managed PostgreSQL, managed Redis, load balancer, container registry, object storage, DNS | All customer data processed by MIR (events, hashed identifiers, audit logs, account metadata) | United States (default). EU regions available on request for EU customers. |
| Stripe, Inc. DPA |
Payment processing, billing, subscription management, SLA credit ledger | Customer billing email, payment method (tokenized), invoice metadata, entity usage summaries | United States; Stripe processes EU customer data through its EU subsidiaries under SCCs. |
| WorkOS, Inc. DPA |
SSO and directory authentication for enterprise customers (SAML, SCIM) | Authentication metadata (email, SSO assertions), directory sync metadata. Used only when an enterprise customer enables SSO. | United States. |
| SendGrid (Twilio Inc.) DPA |
Transactional email delivery (magic-link login, account notifications, partner onboarding emails) | Recipient email address, message content (login links, account notifications) | United States, with EU sub-region for EU recipients. |
2. Infrastructure that is not a sub-processor
The following components run on infrastructure MIR controls directly and do not transfer customer data outside the sub-processors listed above:
- Application code (Node.js + TypeScript, Express, Prisma) -- runs in containers on DigitalOcean compute. No data transfer to other parties.
- WebAuthn / passkey verification -- runs in-process on MIR's servers. No third-party authentication service.
- Hashing -- SHA-256 of partner-supplied external IDs is performed in-process before storage. Salts and keys are managed in MIR's internal secret store.
- Real-time delivery (Socket.io) -- runs in-process; no third-party real-time service.
- Image processing (Sharp, where used) -- runs in-process; no third-party image API.
3. International transfers
Where a sub-processor processes personal data of EU/EEA, UK, or Swiss data subjects outside their respective jurisdiction, transfers are made under one of the following mechanisms, in order of preference:
- EU/EEA region of the sub-processor (no transfer outside the EEA).
- European Commission adequacy decision for the destination country.
- Standard Contractual Clauses (Module 3 -- Processor to Sub-processor) executed between MIR and the sub-processor, supplemented by transfer impact assessments and additional safeguards where required.
- UK International Data Transfer Addendum or Swiss-specific addendum as applicable.
4. Audit and verification
Each sub-processor maintains independent third-party security and privacy attestations (SOC 2 Type II, ISO 27001, or equivalent). MIR reviews these attestations annually and will provide the relevant documentation to a customer on written request, subject to applicable confidentiality obligations.
5. Contact
Questions about this list or the underlying contracts can be sent to privacy@mirregistry.com.