Tap Links โ Sub-processors
Operator: Mace Design LLC (a New York limited liability company) d/b/a “Tap Links”
Effective date: 2026-05-13 ยท Version: 1.0
Summary
- Tap Links uses a small number of third-party vendors to operate the Service, including Cloudflare, Resend, Google Workspace, and NXP.
- Each vendor is subject to data processing terms in its standard terms of service that limit use of personal information to performing services for Tap Links.
- Material changes to this list are reflected here, and customers with a signed Data Processing Addendum may be entitled to advance notice under that addendum.
This summary is informational and subject to change. In a conflict between this summary and the formal text below, the formal text controls.
This page lists the third-party vendors (“sub-processors”) that Tap Links uses to operate the Service. Each entry describes what the vendor does for Tap Links, what category of personal information it may process, and where to find the vendor’s own privacy and security documentation.
If you have a signed Data Processing Addendum with Tap Links, that addendum may give you additional rights with respect to sub-processor changes (e.g., advance-notice rights, or a right to object).
Production sub-processors
| Vendor | Role | Personal information processed | Location | Vendor docs |
|---|---|---|---|---|
| Cloudflare, Inc. | Edge compute, static hosting, database, key storage, DNS, CDN, DDoS protection | All Tap Links request traffic, including end-user tap data (IP, timestamp, User-Agent), dashboard user data (email, session token), customer data (clients, devices, links). | United States (primarily) | Privacy, Trust Hub, DPA |
| Resend, Inc. | Transactional email | Email addresses (magic-link sign-in, account notifications) | United States | Privacy, Terms, DPA |
| Google LLC (Google Workspace) | Operator email, calendar, and business documents | Email correspondence between Tap Links and customers; internal business documents | United States | Privacy, Workspace DPA |
| Tally.so | Contact form embed on the marketing site | Whatever a visitor submits via the contact form: typically name, email, and message body | European Union (per Tally’s docs as of 2026-05) | Privacy, DPA |
| Cloudflare Web Analytics | Privacy-preserving page-view analytics for the marketing site. Cookieless. | Aggregate page-view counts; no individual visitor identifiers. | United States | Covered by Cloudflare’s main DPA (above) |
Manufacturing / operations sub-processors
These vendors are involved in our physical operations. They are listed for transparency; they do not receive Personal Information about end users in the ordinary operation of the Service:
| Vendor | Role | Notes |
|---|---|---|
| NXP Semiconductors N.V. | Manufacturer of the NTAG 424 DNA NFC chips embedded in our devices | We purchase chips through distributors. NXP receives no runtime data from the Service. |
| [Shipping carrier(s)] | Outbound shipment of hardware to customers | Carrier receives the customer’s shipping address and contact information for delivery. Replace with the carrier(s) you actually use, e.g., USPS, UPS, FedEx, DHL. |
| [Payment processor] | Customer billing (planned; not in production as of the Effective date) | When billing launches, the chosen processor (e.g., Stripe, Braintree) will be added here. The processor will see standard payment metadata. |
The presence of “[bracketed]” entries indicates a category currently in use without a single canonical vendor. Update this page once a vendor is selected.
Other hardware-component suppliers (3D-printer vendors, raw-material suppliers, etc.) are not Sub-processors of Personal Information for purposes of this page; they sell us inputs that we incorporate into our finished product. Their identities are commercially sensitive and are not disclosed here.
US data-processing locations
All sub-processors above are headquartered in the United States with the exception of Tally.so (EU). Tap Links does not currently engage sub-processors outside the United States or the European Union. If we engage a sub-processor outside the US/EU in the future, this page will be updated and customers with a signed DPA will receive the advance notice provided for in their DPA.
How we vet sub-processors
For each sub-processor, we evaluate (at minimum):
- Whether a written Data Processing Agreement is available and acceptable.
- Whether the vendor maintains commercially reasonable security practices, evidenced by published certifications (SOC 2, ISO 27001) or attestations where available.
- Whether the vendor has a documented incident-response and breach-notification process.
- Whether the vendor’s location and parent-company structure introduce legal risks (e.g., sub-processing data subject to incompatible US state laws).
- For free-tier vendors: whether the free tier’s terms allow business use without changing the analysis.
If a sub-processor materially changes its practices in a way that affects our customers (for example, an acquisition or a change in data-processing locations), we will update this page and, where required by a signed DPA, notify affected customers in writing.
Subscribing to sub-processor updates
If you’d like to be notified by email when this list changes:
- Customers with a signed DPA: notification is provided automatically per your DPA.
- Other interested parties: email hello@taplinks.com with the subject “Subscribe, Subprocessor updates” and we will add you to the list.
Changes
We will update this page when we add, remove, or materially change a sub-processor’s role.