Last updated: February 25, 2026
Carlquist uses a limited number of third-party service providers ("Subprocessors") to assist in delivering the Service. Each Subprocessor has been evaluated for security practices and is bound by contractual data protection obligations consistent with our Data Processing Addendum.
The table below lists all Subprocessors currently authorized to process Customer data on behalf of Carlquist.
| Subprocessor | Purpose | Location | Security Info |
|---|---|---|---|
| DigitalOcean | Cloud Infrastructure | US (NYC region) | SOC 2 Type II, ISO 27001 |
| Neon | Managed PostgreSQL | US | SOC 2 Type II |
| Postmark | Transactional Email | US | SOC 2 Type II |
| Sentry | Error Monitoring | US | SOC 2 Type II |
| Cloudflare | DNS & DDoS Protection | Global (Anycast) | SOC 2 Type II, ISO 27001, PCI DSS |
Carlquist will provide at least 30 days' advance notice via email to account administrators before adding a new Subprocessor or replacing an existing one. Customers may object to a new Subprocessor in accordance with the terms of the Data Processing Addendum.
For questions about our Subprocessors or to subscribe to change notifications, contact legal@carlquist.app.