Subprocessor List
Last Updated: November 2, 2025
Introduction
This page lists all third-party service providers (sub-processors) that Bear Billing uses to process customer data. We maintain this list to support GDPR Article 28 requirements and our Data Processing Agreement.
Change Notification
We will notify customers at least 30 days before adding or changing any sub-processor via email and in-product notification.
Current Subprocessors
Stripe, Inc.
Service: Payment processing
Data Processed: Payment card information (tokenized), billing addresses, transaction history
Location: United States
Certification: PCI DSS Level 1, SOC 2 Type II
Website: stripe.com
Cloud Infrastructure Provider
Service: Cloud hosting, database, compute
Data Processed: All customer data
Location: United States
Certification: SOC 2 Type II
Specific provider details available under NDA for enterprise customers.
Email Service Provider
Service: Transactional email delivery
Data Processed: Email addresses, names, email content
Location: United States
Certification: SOC 2 Type II
Data Protection Measures
All subprocessors are required to:
- Sign data processing agreements equivalent to our DPA
- Implement appropriate security measures
- Maintain SOC 2 Type II certification (or equivalent)
- Support GDPR compliance obligations
- Notify us of data breaches within 24 hours
International Data Transfers
For transfers from the EEA, UK, or Switzerland:
- Standard Contractual Clauses (SCCs) in place with all subprocessors
- Supplementary measures per Schrems II requirements
- Data residency options available upon request
Your Rights
You have the right to:
- ✓ Object to new subprocessors within 30 days of notification
- ✓ Request detailed subprocessor information (enterprise customers)
- ✓ Terminate service if we cannot resolve your objection
Questions?
For questions about our subprocessors or to request detailed information, contact [email protected]