Sub-processors

Third parties that process personal data on Hotelcilik's behalf

Each sub-processor is bound by a Data Processing Agreement (DPA) restricting them to the purposes listed below. We notify customers in advance when adding or replacing a sub-processor.

Active

Vercel Inc.Global edge; primary execution in EU

Application hosting (Next.js + Hono API)

Data: All — application traffic transits Vercel edge nodes

Neon (Databricks Inc.)EU (Frankfurt)

Postgres database

Data: Hotel operational data: guests, reservations, requests, notifications, staff

Pusher (now part of Forfront)EU

Realtime channels (live request board, notification toast)

Data: Event metadata only (request IDs, status changes); no PII payloads

Vercel BlobUS (iad1) — content addressed by obscure URLs, public bucket access

Object storage (request attachments)

Data: Files uploaded by hotel staff (photos, scans, PDFs of operational items)

Planned (not yet enabled)

Listed for transparency. These vendors are integrated in code but not yet receiving production data. They become "Active" before any customer data is sent.

Local payment provider (TBD)TR

Subscription billing for hotel customers via Turkish local payment methods

Data: Hotel/organization billing contact, payment method tokens (no card data hits our servers)

SentryEU

Error tracking and performance monitoring (planned)

Data: Application error context, stack traces, hotel ID and user ID labels (no PII bodies)

Upstash RedisEU

Per-tenant rate limiting (planned)

Data: IP addresses + hotel IDs as ephemeral keys (TTL ≤ 60s)

ResendEU

Transactional email delivery (planned) — trial expiry, password reset, support notifications

Data: Recipient email addresses + message bodies; no payment info