Skip to main content
Excelerate

Subprocessors

Last updated: May 2026 · Verified accurate as of 11 May 2026

On this page

Excelerate uses a small number of trusted third-party providers (“subprocessors”) to operate the Service. Each subprocessor processes personal data on our behalf, only on our documented instructions, and under a written Data Processing Agreement compliant with UK GDPR Article 28 and EU GDPR Article 28.

This page lists the active subprocessors that may handle personal data of Excelerate users or the customers of Excelerate organisations. We will notify subscribers of any material change to this list at least 30 days before the change takes effect, allowing time to object before the new subprocessor is engaged. To opt in to advance notifications, see Subprocessor Change Notifications below.

Active Subprocessors

Supabase Inc.

  • Purpose: primary backend - PostgreSQL database, authentication, edge functions, and object storage
  • Data processed: account credentials (hashed), organisation membership, brand configurations, audit-display preferences, custom cell styles, template files uploaded by organisations, signed URLs, audit logs
  • Region: West Europe (London, United Kingdom)
  • DPA: supabase.com/legal/dpa

Vercel Inc.

  • Purpose: hosting of the Excelerate website, marketing pages, portal, and Add-in static assets
  • Data processed: request logs (URL paths, IP addresses, user-agent strings, timestamps)
  • Region: global edge network; primary control plane United States
  • Transfer mechanism: EU Standard Contractual Clauses + UK Addendum
  • DPA: vercel.com/legal/dpa

Cloudflare, Inc.

  • Purpose: DNS resolution and network security for the exceleratefinancialmodelling.com domain
  • Data processed: IP addresses and request metadata at the DNS layer
  • Region: global edge network
  • Transfer mechanism: EU Standard Contractual Clauses + UK Addendum
  • DPA: cloudflare.com/cloudflare-customer-dpa

Resend

  • Purpose: transactional email delivery (account verification, password reset, organisation invitations, billing notifications)
  • Data processed: recipient email address, recipient display name, message body
  • Region: EU and US
  • Transfer mechanism: EU Standard Contractual Clauses + UK Addendum
  • DPA: resend.com/legal/dpa

PostHog Inc.

  • Purpose: identified product analytics on the authenticated Excelerate portal; pseudonymous tool-usage telemetry from the Add-in
  • Data processed (portal): distinct identifier equal to your Excelerate user ID, email address, organisation ID and name, organisation tier, role within organisation, product interaction events
  • Data processed (Add-in): tool name, success or failure status, execution duration, host platform, your Excelerate user ID, organisation ID, and organisation tier; explicitly excluding spreadsheet content
  • Region: EU instance
  • DPA: posthog.com/dpa

Functional Software, Inc. (Sentry)

  • Purpose: application error and exception telemetry - captures uncaught JavaScript errors and runtime exceptions in the Add-in to identify reliability issues and prioritise fixes
  • Data processed: error message text, stack traces (server-side symbolicated against hidden source maps uploaded at build time), browser type, Excel host platform, build version (commit SHA), and recent breadcrumbs (navigation/history events and outbound HTTP request URLs with query strings + credentials scrubbed acrossurl, from, and to fields; console-, click-, input-, and DOM-event-category breadcrumbs are dropped at the SDK boundary so workbook-derived values that may appear in console logs or DOM event metadata cannot ride along with error events)
  • Excluded:cell values, formula strings, sheet names, file names, workbook structure, named ranges, chart data, and other workbook content. The Add-in’s Sentry initialisation sets sendDefaultPii: false and uses a beforeSend scrubber to drop any user-email payload that future code paths may attach.
  • Region: EU (Frankfurt, Germany) - single ingest endpoint o4511319887380480.ingest.de.sentry.io; no US region usage.
  • Transfer mechanism:No international transfer - contracting entity for EU/UK customers is Sentry Software Ireland Limited (an EEA entity); error telemetry data remains within the EEA. Where the contracting party is instead Functional Software, Inc. (US parent), EU Standard Contractual Clauses + UK Addendum to the SCCs apply per Sentry’s published DPA.
  • DPA: sentry.io/legal/dpa

Paddle.com Market Limited

  • Purpose: Merchant of Record for subscription billing - payment processing, invoicing, sales tax and VAT collection, fraud screening, and refund processing
  • Data processed: name, email address, billing address, tax residency, payment card metadata (tokenised; Excelerate does not see raw card numbers), transaction history, subscription identifiers
  • Region: United Kingdom (Paddle.com Market Limited, registered in England)
  • Note:Paddle acts as Merchant of Record, meaning your contractual purchase relationship for the payment transaction is with Paddle. Paddle’s own Privacy Notice applies in parallel.
  • DPA: paddle.com/legal/dpa

DigitalOcean LLC

  • Purpose: infrastructure hosting for supplementary services such as development and staging environments and scheduled background jobs. This provider does not host the production database or serve production user traffic to the Add-in or portal.
  • Data processed: server access logs, IP addresses for service health monitoring
  • Region: EU (London or Frankfurt) where available
  • Transfer mechanism: EU Standard Contractual Clauses + UK Addendum
  • DPA: digitalocean.com/legal/data-processing-agreement

Subprocessor Change Notifications

If you would like to receive advance notification of any new subprocessor we engage (or the replacement of an existing one), email support@exceleratefinancialmodelling.comwith the subject line “Subprocessor notifications”. We will give at least 30 days’ advance notice before the change takes effect, with the right to object on reasonable grounds. If we are unable to address an objection, you may terminate the affected subscription with a pro-rata refund of any pre-paid amount.

Distribution and Authentication Channels (Not Subprocessors)

The following parties are referenced for transparency but are not subprocessors of Excelerate, because Excelerate does not direct their processing of your personal data:

  • Microsoft- distributes the Add-in via the Microsoft AppSource marketplace and provides authentication via the Microsoft identity platform when you choose “Continue with Microsoft”. This covers both personal Microsoft accounts and Microsoft Entra ID (formerly Azure Active Directory) work or school accounts. Microsoft processes your authentication data under its own privacy notice and acts as an independent Controller for that processing.
  • Google- provides Google account authentication when you choose “Continue with Google”. Google processes your authentication data under its own privacy notice and acts as an independent Controller for that processing.

Change Log

  • May 2026 - PostHog Add-in scope clarified.Add-in tool-usage telemetry reclassified from “anonymous” to “pseudonymous” following enrichment of tool_executed events with the Excelerate user ID, organisation ID, and organisation tier. No new subprocessor; no new data category; same explicit exclusion of spreadsheet content. The change enables per-organisation feature-adoption insights in the portal.
  • April 2026 - Initial publication. Seven active subprocessors listed: Supabase, Vercel, Cloudflare, Resend, PostHog, Paddle, DigitalOcean. Microsoft and Google referenced as authentication channels (not subprocessors).

Material additions or replacements will be appended above with the effective date. Subscribers who opt in to change notifications are notified in advance.

Questions

For questions about subprocessors, or to request a signed copy of our Data Processing Agreement, contact support@exceleratefinancialmodelling.com.