FeaturesHow it worksDevelopersUse casesPricing
Request early access
Back to home

Sub-Processor List

Last updated: 2026-05-09
Version: 1.0

Plirin uses the following sub-processors to operate our services. This list is maintained in accordance with our obligations under GDPR Article 28 and our Data Sharing Policy.

Current Sub-Processors

VendorPurposeData SharedLocationGDPR / DPA StatusContact / Website
Shufti ProKYB (business verification), AML screening (sanctions / PEP / adverse media), Crypto wallet screening, UBO liveness/KYC (tier upgrade)Business name, registration details, UBO names + DOB + address, wallet addresses, identity documents (on Shufti platform), UBO selfie/video (for tier upgrade only)Lithuania (EU)GDPR-compliant; DPA in place (pending production cutover confirmation)privacy@shuftipro.com / https://shuftipro.com
Amazon Web Services (S3)Long-term encrypted document archival (FinCEN regulatory recordkeeping)KYB verification documents (encrypted at rest via KMS)US East-1 (N. Virginia, USA)GDPR-compliant via SCCs (Standard Contractual Clauses)https://aws.amazon.com/privacy/
Amazon Web Services (KMS)Encryption key management for document storageNo personal data transmitted; manages encryption keys onlyUS East-1 (N. Virginia, USA)GDPR-compliant via SCCshttps://aws.amazon.com/kms/
ResendTransactional email delivery (account notifications, KYB status, compliance alerts, UBO verification links)Recipient email address, email subject and body contentUnited StatesSOC 2 compliant; DPA availablehttps://resend.com

Notes

  1. Shufti Pro DPA: A Data Processing Agreement is in place with Shufti Pro. Production cutover is pending sandbox validation. The DPA will be confirmed as active upon first live verification.

  2. AWS SCCs: Amazon Web Services participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses for data transfers from the EU/UK to US-based AWS regions.

  3. Resend: Used for transactional email only. No marketing email is sent via Resend. Email logs are retained for 30 days per Resend's standard policy.

  4. iDenfy (dormant): A prior KYB vendor (iDenfy) was evaluated but not activated in production. No merchant data was transmitted to iDenfy. The integration code is dormant in the codebase.

Changes to this list

We will notify affected customers at least 14 days before adding or replacing a sub-processor, as required by GDPR. Updates will be reflected on this page with a new "Last updated" date.

If you have concerns about a specific sub-processor, contact privacy@plirin.com.

Related Documents