Subprocessors
Last reviewed: May 7, 2026
These are the companies we use to run Toolbar. Each one handles some of your data on our behalf — for things like storing accounts, hosting the app, catching errors, or running AI features. We have signed agreements with all of them that require them to protect your data and use it only for the purposes we specify. Where data is transferred outside the EU, we rely on EU-approved contracts to keep it protected.
We keep this list up to date. If our providers change, we will update it and bump the "Last reviewed" date above. Questions? Email us at notices@toolbar.no.
Supabase
Supabase, Inc.
Service & Purpose
Managed database, authentication, and file storage backend. Supabase stores all application data including user accounts, organisation records, software inventory, seat assignments, usage metrics, and billing information. It also manages authentication sessions and access tokens.
Categories of Data Processed
- Account identifiers (name, work email)
- Organisation and membership data
- Role and permission records
- Software, seat, and usage records
- Billing and spend metadata
- Identity provider integration references
- Authentication session tokens
Processing Location & Transfer Safeguards
Data is stored in Sweden, an EU member state. No cross-border transfer mechanism is required for EEA-resident data subjects. Supabase processes data under a Data Processing Agreement (DPA).
References
Vercel
Vercel, Inc.
Service & Purpose
Web application hosting, content delivery network (CDN), and server-side runtime. Vercel serves the Toolbar web application and handles all HTTP requests, including edge routing, server-side rendering, and static asset delivery.
Categories of Data Processed
- IP addresses and device/browser metadata
- HTTP request headers and query parameters
- Server-side request logs and performance traces
- Cookies and session identifiers set at request time
- Edge function execution metadata
Processing Location & Transfer Safeguards
The Toolbar deployment is configured to serve from Sweden, an EU member state. Vercel's global CDN may serve cached static assets from edge nodes outside the EEA; request logs and identifiable data are retained in the configured primary region. Vercel processes data under a Data Processing Agreement (DPA).
References
Google Gemini
Google LLC
Service & Purpose
AI model API used to power automated features within Toolbar, including software import mapping and catalog enrichment. Requests are made server-side using the Google Generative AI API. Toolbar does not use customer content to train AI models.
Categories of Data Processed
- Customer-submitted software import data used for AI-assisted mapping, including uploaded rows, columns, software names, vendor names, plan labels, URLs, pricing, cost figures, and other business context included by the customer
- Software vendor and product metadata submitted for catalog enrichment, such as vendor names, product names, and URLs
- Publicly available vendor website and pricing content retrieved during enrichment workflows
Processing Location & Transfer Safeguards
Where data is transferred outside the EEA, Toolbar relies on Standard Contractual Clauses (SCCs) adopted by the European Commission, as incorporated in Google's Data Processing Amendment. Toolbar uses Gemini only to provide import mapping, catalog enrichment, and related product features, not to train AI models. Customers should review their own data classification policies before using AI-assisted import features.
Sentry
Functional Software, Inc. d/b/a Sentry
Service & Purpose
Sentry is used for error monitoring, performance tracing, sampled session replay, and voluntary feedback submissions. Replay uses Sentry’s default privacy protections, which mask text and input values and block media before data is sent. We may also send technical request metadata and limited user identifiers, such as email address and display name, for debugging and support.
Categories of Data Processed
- Error events including JavaScript stack traces and server-side exception details
- Performance spans and server request traces
- Browser and device metadata (user agent, viewport, OS, browser version)
- User identifiers (email address and display name) attached to error and feedback events
- Sampled session replays including DOM snapshots and user interaction sequences
- Voluntary feedback submissions (text description and optional screenshot)
Processing Location & Transfer Safeguards
Toolbar's Sentry organisation is configured to ingest data exclusively through the EU data centre, located in Germany. Data does not leave the EEA for primary storage or processing. Sentry processes data under a Data Processing Agreement (DPA) that incorporates Standard Contractual Clauses for any incidental transfers.
Resend
Resend, Inc.
Service & Purpose
Transactional email delivery for Toolbar notifications, including access-review emails, owner-transfer emails, and related operational messages.
Categories of Data Processed
- Recipient email address and name
- Organization name
- Email subject and body content
- Review, transfer, and product links included in emails
- Email delivery and diagnostic metadata
Processing Location & Transfer Safeguards
Where data is transferred outside the EEA, Toolbar relies on applicable legal transfer mechanisms, such as Standard Contractual Clauses (SCCs), and written data protection commitments from the provider.
Tally
Tally BV
Service & Purpose
Demo request and contact form intake. Toolbar uses Tally forms to collect demo requests submitted from the public website.
Categories of Data Processed
- Name
- Work email
- Company name
- Form responses and free-text context submitted by the requester
- Submission metadata generated by the form service
Processing Location & Transfer Safeguards
Tally is based in the European Union. Where processing or support access involves transfers outside the EEA, Toolbar relies on applicable legal transfer mechanisms and written data protection commitments from the provider.