Sub-processors
This page lists the sub-processors Blade & Bristle Barbershop uses to deliver the service to tenants. A sub-processor is a third party we engage to process personal data on behalf of a tenant (the controller). Every sub-processor is under written contract with confidentiality and data-protection terms; transfers from the EEA / UK / Switzerland to the United States rely on the EU Standard Contractual Clauses (Module 3 - processor-to-sub-processor, 2021/914) and the UK International Data Transfer Addendum.
We give tenants at least 30 days' notice before adding a material new sub-processor. Tenants who object during that window may terminate the affected service line per the DPA.
Current sub-processors
| Sub-processor | Purpose | Data shared | Location | Sub-DPA / Privacy |
|---|---|---|---|---|
| DigitalOcean | Portable host runtime, tenant database storage, encrypted backups, and operational telemetry | Tenant + customer PII, booking data, communication logs, technical logs | United States | DigitalOcean DPA |
| Stripe | Platform subscription billing (Blade & Bristle Barbershop) + tenant payment processing (tenant merchant-of-record) | Saved payment references, billing email + name, transaction metadata (no full PAN — PCI SAQ-A coverage) | United States | Stripe DPA |
| Postmark / Twilio | Transactional appointment email and SMS delivery when configured for live sending | Recipient email / phone, message content, delivery telemetry | United States | Postmark DPA · Twilio DPA |
| Twilio | Fallback SMS delivery on tenants who supply their own Twilio account | Recipient phone, message body, delivery telemetry | United States (tenant-managed) | Twilio DPA |
| Resend / SendGrid | Transactional email transport fallback when enabled by operations or tenant override | Recipient email, message content, bounce + complaint metadata | United States / European Union | Resend DPA · Postmark DPA · SendGrid DPA |
| Cloudflare | DNS, CDN, TLS termination for custom tenant domains (tenant-authorized) | IP address, request metadata, TLS handshake telemetry | Global edge (data-in-transit only) | Cloudflare DPA |
| GoDaddy / Sectigo | Domain registration + TLS certificate issuance for tenant custom domains | Registrant contact (tenant-supplied), domain ownership records | United States | GoDaddy DPA |
| Intuit QuickBooks (optional) | Accounting + bookkeeping export — only enabled per tenant via the QuickBooks integration toggle | Booking totals, line items, tax + tip totals, customer name (when tenant opts in to customer-detail export) | United States | Intuit DPA |
| Microsoft Entra ID (optional) | Optional single sign-on (SSO) for enterprise tenants when configured | Authentication identifiers, email, claims | United States | Microsoft DPA |
How to be notified of changes
Material additions or changes to this list are announced 30 days in advance via the platform admin notifications feed and (for paying tenants) by email to the billing contact on file. The full audit history is available on request from privacy@pointmintz.com.
Tenants who require a signed Data Processing Agreement (DPA) backed by the 2021/914 Standard Contractual Clauses or the UK IDTA can request templates at the same address - see Privacy Policy, International transfers for the in-product references.