This page lists the third-party service providers ("sub-processors") that 4rho uses to operate the platform. Each provider processes a defined slice of personal data on 4rho's behalf, under a written data- processing addendum (DPA), and only for the purpose listed.
We update this list before adding new sub-processors. Material changes notify affected B2B counterparties at least 30 days before the change takes effect; individual users are notified through the in-app banner and an entry in the Privacy Policy changelog.
Last updated: 2026-05-14
Current sub-processors
| Provider | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Vercel | Frontend hosting + edge CDN | United States (global edge POPs) | EU Standard Contractual Clauses (SCCs) for non-US data subjects |
| Railway | Backend application hosting | United States | EU Standard Contractual Clauses (SCCs) |
| Neon | Managed Postgres (primary database) | United States | EU Standard Contractual Clauses (SCCs) |
| Upstash | Managed Redis (cache + rate limits) | Multi-region (configurable) | EU Standard Contractual Clauses (SCCs) |
| Sentry | Error monitoring + performance traces | United States | EU Standard Contractual Clauses (SCCs); user-PII scrubbed before send |
| Privy | Authentication, embedded-wallet custody | United States | EU Standard Contractual Clauses (SCCs) |
| Resend | Transactional email delivery (verification, breach notification, support replies) | United States | EU Standard Contractual Clauses (SCCs); email address + dispatch metadata only |
| Cloudflare | DDoS mitigation + edge proxy | Global | Adequacy / SCCs (depending on user region) |
| ipapi.co | GeoIP enrichment for sign-ins | Multi-region | SCCs; only IP-derived metadata, no payload |
| Chainalysis | OFAC / sanctions wallet screening | United States | SCCs; only on-chain wallet addresses |
Categories of data
Each sub-processor receives only the slice of data needed for its function. The Privacy Policy enumerates the categories of personal data 4rho collects; the table below maps those categories to the sub-processors that touch them.
| Data category | Sub-processors |
|---|---|
| Authentication identifiers (Privy DID, OAuth subject) | Privy, Sentry (incidental in error context) |
| Wallet addresses | Privy, Chainalysis, Sentry (incidental) |
| IP address + derived geolocation | Vercel, Cloudflare, Railway, ipapi.co, Sentry |
| Account profile (display name, email, DOB, preferences) | Neon (primary store), Sentry (incidental) |
| Email address (for transactional dispatch) | Privy (account-of-record), Resend (delivery only) |
| Trade history + on-chain receipts | Neon, Polygon (public chain — out of scope as a sub-processor) |
| Support ticket content | Neon |
Notification of changes
When 4rho engages a new sub-processor or replaces an existing one we update this page and the changelog block at the bottom of the Privacy Policy. For B2B / institutional accounts, written notice is sent at least 30 days before the change becomes effective; objections must be raised within that window.
Contact
For DPA copies, sub-processor objections, or sub-processor-specific
data-protection questions, contact the data-protection officer via the
in-app support inbox at /support/tickets/new.