The third parties that touch your data.
A subprocessor is a third-party service provider that Site Brace (Aliso LLC dba Site Brace) engages to help deliver the audit Service, and that handles some portion of customer data on Site Brace's behalf and under Site Brace's instructions. The list below is the complete set of subprocessors in use today. We do not share, sell, or transfer your information to any third party beyond this list. If we add a new subprocessor that processes personal data, we will update this page and notify active customers by email at least 30 days before the new provider goes live, so you have time to object if it is a problem for your procurement.
Operated by: Aliso LLC dba Site Brace. Related: Privacy Policy, Security, Terms of Service.
Last updated: May 10, 2026.
Personal-data processors
These providers handle your contact details (name, email, optional company), your audit metadata (the URL you submitted, the audit slug, payment status), or your payment information. Each provider acts as a data processor under Site Brace's instructions and is governed by its own privacy policy and our agreement with it.
| Subprocessor | Purpose | Data categories | Region | Reference |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting for the marketing site (Cloudflare Pages), the intake endpoint at api.sitebrace.com (Cloudflare Workers), audit-report object storage at audit.sitebrace.com (Cloudflare R2), authoritative DNS, and inbound mail forwarding for hello@sitebrace.com (Cloudflare Email Routing). |
Audit metadata (URL, audit slug, payment status), audit report content and per-page scan results, inbound and outbound email headers and bodies, network-level request metadata (IP address, request headers) at the infrastructure layer. | United States, with a global edge network. | Privacy policy, Data processing addendum. |
| HubSpot, Inc. | Customer-relationship-management system holding your contact record and audit-status history. The HubSpot account is dedicated to Site Brace; data is not co-mingled with any other business the operator runs. | Name, email, optional company, audited URL, audit slug, payment status, contact-form message content, audit history. | United States. | Privacy policy, Data processing agreement. |
| Resend (Resend, Inc.) | Transactional email delivery: intake confirmation, report-ready notification, re-scan notification, contact-form-receipt notification. | Recipient email address, message headers, message body content, send-time metadata, delivery status. | United States. | Privacy policy, Data processing agreement. |
| Brevo (Sendinblue SAS) | Sending relay so the operator can reply from hello@sitebrace.com when answering customer email. |
Recipient email address, message headers, message body content, send-time metadata, delivery status. | European Union (France). | Privacy policy, Data processing agreement. |
| Stripe, Inc. | Payment processing for the audit purchase. Stripe handles all card data; Site Brace never sees, stores, or transmits the card number, CVC, or full account details. Site Brace receives only Stripe's success token, the charge ID, the amount, and the email associated with the purchase. | Cardholder name, card number, expiration date, CVC, billing address, transaction metadata (Stripe-side); for Site Brace's record only: customer email, charge ID, amount, payment status. | United States, with regional processing in the European Union and other markets per Stripe's infrastructure. | Privacy policy, Data processing agreement. |
| GitHub, Inc. | Audit pipeline. The per-audit GitHub Actions runner fetches the URLs you submitted, runs axe-core inside a headless Chromium browser via Playwright, writes the result back to Cloudflare R2, and terminates. Nothing intermediate persists on the runner after the job finishes. | Audited website URL, per-page scan output and logs for the duration of the audit job (ephemeral; not retained on the runner after job completion). | United States (GitHub Actions runners). | Privacy statement, Data protection agreement. |
Adding or changing a subprocessor
If we add a new subprocessor that processes personal data, or materially change the role of an existing one, we will:
- Update this page with the new entry, the change date, and a short note describing what changed.
- Email active customers (anyone with a Site Brace audit inside the 12-month access window) at the address they used at intake, at least 30 business days before the new provider goes live.
- Honor any reasonable objection by re-routing your audit through alternate infrastructure where feasible, or by issuing a refund of the unused portion of the audit if it is not feasible.
Replacing an existing subprocessor with a like-for-like provider in the same category (for example, swapping one transactional email provider for another) is treated as a material change for the purpose of notification.
Audit-engine components (no personal data)
Two open-source components are part of the audit pipeline but do not directly receive your name, email, or contact details. They are listed here for completeness, not because they are subprocessors in the data-protection sense.
- axe-core: open-source accessibility-rule engine, vendored as a JavaScript file. Runs inside our headless Chromium browser; makes no network calls.
- Playwright: open-source headless browser driver. Runs inside the GitHub Actions runner; makes no network calls beyond fetching the pages of your website that we audit.
Questions
For subprocessor questions, security-questionnaire requests, or any other data-handling inquiry, use the contact form with subject SECURITY. We respond in writing within five business days.