Sub-Processors
Last updated: June 1, 2026
Backstage Baton LLC engages the third-party service providers below ("sub-processors") to help deliver the Service. Each may process personal data on our behalf, only as needed to provide its function and under contractual confidentiality and security obligations (including a Data Processing Agreement or the EU/UK Standard Contractual Clauses where applicable). All current processing occurs in the United States.
For the full context, see our Privacy Policy and the DPA.
Current sub-processors
| Vendor | Purpose | Location |
|---|---|---|
Amazon Web Services (AWS) | Cloud hosting, primary database, file/object storage, secrets, logs, load balancing | USA |
Twilio | SMS message delivery | USA |
Twilio SendGrid | Transactional & notification email delivery; inbound parse for weekly-digest replies | USA |
Stripe | Subscription billing, payment processing, customer portal | USA |
Anthropic | AI-assisted features (smart import, music enrichment, setlist suggestions, weekly digest) | USA |
AI data note. Under Anthropic's commercial/API terms, inputs submitted via the API are not used to train Anthropic's models, and we limit inputs to what each feature requires. We rely on Anthropic's terms for this commitment.
Out of scope
The following services do not process customer personal data on Backstage Baton's behalf and are not listed as sub-processors:
- GitHub — source code repository and CI/CD. Processes deployment artifacts and encrypted secrets used only by build runners. No production customer data.
- GoDaddy — domain registration and DNS hosting. No customer data.
- npm registry, Google Fonts, dev tooling — public package distribution, static fonts on the marketing site, and developer-workstation tools. No customer data.
When any out-of-scope service moves into a position where it would touch customer data, we vet it and add it to the register above before traffic is routed to it.
How we vet sub-processors
Before engaging a new sub-processor with access to customer personal data, the vendor must satisfy our security and privacy criteria:
- Security attestation — SOC 2 Type II is our standard bar; ISO 27001 is acceptable for non-US-headquartered vendors.
- DPA available and signable — the vendor publishes a DPA addressing GDPR Article 28 and CCPA-equivalent terms.
- GDPR and CCPA posture — defensible international-transfer mechanisms and CCPA-compliant data handling.
- Incident-notification commitment — a contractual timeline, ideally 72 hours or better.
- Public security page — published documentation of security practices.
- Custom DPA negotiability — required for serving enterprise customers.
Notification of sub-processor changes
When we add a new sub-processor that processes member personal data, we update this page and aim to give organization owners and administrators at least 30 days' advance notice before the new sub-processor begins processing. A confirmed security incident at a sub-processor, or a material change to their certifications or to the categories of data shared, triggers notification within 72 hours of our confirmation.
To subscribe to sub-processor change notices, or to ask a question about our sub-processors, email privacy@backstagebaton.com. Customers on enterprise contracts may object to a new sub-processor in writing within 30 days of notice.
Contact
Privacy and sub-processor questions: privacy@backstagebaton.com