Subprocessors
Last reviewed: March 18, 2026
These are the companies we use to run Toolbar. Each one handles some of your data on our behalf — for things like storing accounts, hosting the app, catching errors, or running AI features. We have signed agreements with all of them that require them to protect your data and use it only for the purposes we specify. Where data is transferred outside the EU, we rely on EU-approved contracts to keep it protected.
We keep this list up to date. If our providers change, we will update it and bump the "Last reviewed" date above. Questions? Email us at notices@toolbar.no.
Supabase
Supabase, Inc.
Service & Purpose
Managed database, authentication, and file storage backend. Supabase stores all application data including user accounts, organisation records, software inventory, seat assignments, usage metrics, and billing information. It also manages authentication sessions and access tokens.
Categories of Data Processed
- Account identifiers (name, work email)
- Organisation and membership data
- Role and permission records
- Software, seat, and usage records
- Billing and spend metadata
- Identity provider integration references
- Authentication session tokens
Processing Location & Transfer Safeguards
Data is stored in Sweden, an EU member state. No cross-border transfer mechanism is required for EEA-resident data subjects. Supabase processes data under a Data Processing Agreement (DPA).
References
Vercel
Vercel, Inc.
Service & Purpose
Web application hosting, content delivery network (CDN), and server-side runtime. Vercel serves the Toolbar web application and handles all HTTP requests, including edge routing, server-side rendering, and static asset delivery.
Categories of Data Processed
- IP addresses and device/browser metadata
- HTTP request headers and query parameters
- Server-side request logs and performance traces
- Cookies and session identifiers set at request time
- Edge function execution metadata
Processing Location & Transfer Safeguards
The Toolbar deployment is configured to serve from Sweden, an EU member state. Vercel's global CDN may serve cached static assets from edge nodes outside the EEA; request logs and identifiable data are retained in the configured primary region. Vercel processes data under a Data Processing Agreement (DPA).
References
Google Gemini
Google LLC
Service & Purpose
AI model API used to power automated features within Toolbar. Requests are made server-side using the Google Generative AI API.
Categories of Data Processed
- Customer-submitted software import data used for AI-assisted mapping, including CSV headers and row content containing business software information such as software names, vendor names, plan labels, and cost figures
- Software vendor and product metadata submitted for catalog enrichment, such as vendor names, product names, and URLs
- Publicly available vendor website and pricing content retrieved during enrichment workflows
Processing Location & Transfer Safeguards
Where data is transferred outside the EEA, Toolbar relies on Standard Contractual Clauses (SCCs) adopted by the European Commission, as incorporated in Google's Data Processing Amendment. Toolbar uses Gemini for business software metadata and import content, not for intentional submission of personal or sensitive personal data. Customers should review their own data classification policies before using AI-assisted import features.
Sentry
Functional Software, Inc. d/b/a Sentry
Service & Purpose
Sentry is used for error monitoring, performance tracing, sampled session replay, and voluntary feedback submissions. Replay uses Sentry’s default privacy protections, which mask text and input values and block media before data is sent. We may also send technical request metadata and limited user identifiers, such as email address and display name, for debugging and support.
Categories of Data Processed
- Error events including JavaScript stack traces and server-side exception details
- Performance spans and server request traces
- Browser and device metadata (user agent, viewport, OS, browser version)
- User identifiers (email address and display name) attached to error and feedback events
- Sampled session replays including DOM snapshots and user interaction sequences
- Voluntary feedback submissions (text description and optional screenshot)
Processing Location & Transfer Safeguards
Toolbar's Sentry organisation is configured to ingest data exclusively through the EU data centre, located in Germany. Data does not leave the EEA for primary storage or processing. Sentry processes data under a Data Processing Agreement (DPA) that incorporates Standard Contractual Clauses for any incidental transfers.