The third parties that touch your data.
A subprocessor is a third-party service provider that Site Brace (Aliso LLC dba Site Brace) engages to help deliver the audit Service, and that handles some portion of customer data on Site Brace's behalf and under Site Brace's instructions. The list below is the complete set of subprocessors in use today. We do not share, sell, or transfer your information to any third party beyond this list. If we add a new subprocessor that processes personal data, we will update this page and notify active customers by email at least 30 days before the new provider goes live, so you have time to object if it is a problem for your procurement.
Operated by: Aliso LLC dba Site Brace. Related: Privacy Policy, Security, Terms of Service.
Last updated: June 10, 2026.
Personal-data processors
These providers handle your contact details (name, email, optional company), your audit metadata (the URL you submitted, the audit slug, payment status), or your payment information. Each provider acts as a data processor under Site Brace's instructions and is governed by its own privacy policy and our agreement with it.
| Subprocessor | Purpose | Data categories | Region | Reference |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting for the marketing site (Cloudflare Pages), the intake endpoint at api.sitebrace.com (Cloudflare Workers), audit-report object storage at audit.sitebrace.com (Cloudflare R2), and authoritative DNS. |
Audit metadata (URL, audit slug, payment status), audit report content and per-page scan results, network-level request metadata (IP address, request headers) at the infrastructure layer. | United States, with a global edge network. | Privacy policy, Data processing addendum. |
| HubSpot, Inc. | Customer-relationship-management system holding your contact record and audit-status history. The HubSpot account is dedicated to Site Brace; data is not co-mingled with any other business the operator runs. | Name, email, optional company, audited URL, audit slug, payment status, contact-form message content, audit history. | United States. | Privacy policy, Data processing agreement. |
| Resend (Resend, Inc.) | Transactional email delivery: intake confirmation, report-ready notification, re-scan notification, contact-form-receipt notification. | Recipient email address, message headers, message body content, send-time metadata, delivery status. | United States. | Privacy policy, Data processing agreement. |
| Migadu-Mail GmbH | Email hosting for the sitebrace.com domain: it receives inbound customer mail at hello@sitebrace.com and is where the operator reads and sends replies to customer email. |
Sender and recipient email addresses, message headers, message body content, and send and receive metadata. | Switzerland (Migadu-Mail GmbH); Migadu does not publicly disclose its data-center country. | Privacy policy and Data Processing Agreement (Migadu's privacy policy doubles as its DPA). |
| Stripe, Inc. | Payment processing for the audit purchase. Stripe handles all card data; Site Brace never sees, stores, or transmits the card number, CVC, or full account details. Site Brace receives only Stripe's success token, the charge ID, the amount, and the email associated with the purchase. | Cardholder name, card number, expiration date, CVC, billing address, transaction metadata (Stripe-side); for Site Brace's record only: customer email, charge ID, amount, payment status. | United States, with regional processing in the European Union and other markets per Stripe's infrastructure. | Privacy policy, Data processing agreement. |
| GitHub, Inc. | Audit pipeline. The per-audit GitHub Actions runner fetches the URLs you submitted, runs axe-core inside a headless Chromium browser via Playwright, writes the result back to Cloudflare R2, and terminates. Nothing intermediate persists on the runner after the job finishes. | Audited website URL, per-page scan output and logs for the duration of the audit job (ephemeral; not retained on the runner after job completion). | United States (GitHub Actions runners). | Privacy statement, Data protection agreement. |
Adding or changing a subprocessor
If we add a new subprocessor that processes personal data, or materially change the role of an existing one, we will:
- Update this page with the new entry, the change date, and a short note describing what changed.
- Email active customers (anyone with a Site Brace audit inside the 12-month access window) at the address they used at intake, at least 30 business days before the new provider goes live.
- Honor any reasonable objection by re-routing your audit through alternate infrastructure where feasible, or by issuing a refund of the unused portion of the audit if it is not feasible.
Replacing an existing subprocessor with a like-for-like provider in the same category (for example, swapping one transactional email provider for another) is treated as a material change for the purpose of notification.
Marketing-site analytics
This provider touches only the public marketing site (sitebrace.com). It does not see your audited URL, your audit-report content, your contact details, or your payment information. The audit-report subdomain (audit.sitebrace.com) is not instrumented.
| Subprocessor | Purpose | Data categories | Region | Reference |
|---|---|---|---|---|
| Plausible Insights OÜ | Aggregate web analytics on the public marketing site (sitebrace.com): pageviews per URL and a small number of named conversion events (for example, /audit clicks, /contact submissions, /compare and /watch page views). Cookieless and privacy-preserving by design. The audit-report subdomain at audit.sitebrace.com and the intake API at api.sitebrace.com are not instrumented. |
Page URL (path; query parameters discarded except marketing campaign tags such as utm_source), HTTP referrer, browser and version, operating system, device class, country-region-city derived from the Internet Protocol address. The Internet Protocol address itself is not stored. A daily-rotating salted hash is used in place of cookies; the salt rotates every 24 hours, preventing cross-day visitor identification. No audited URL. No audit-report content. No contact details. No payment information. | European Union (Estonia; servers operated by European infrastructure providers within the EU). | Data policy, Data processing addendum. |
Audit-engine components (no personal data)
Two open-source components are part of the audit pipeline but do not directly receive your name, email, or contact details. They are listed here for completeness, not because they are subprocessors in the data-protection sense.
- axe-core: open-source accessibility-rule engine, vendored as a JavaScript file. Runs inside our headless Chromium browser; makes no network calls.
- Playwright: open-source headless browser driver. Runs inside the GitHub Actions runner; makes no network calls beyond fetching the pages of your website that we audit.
Questions
For subprocessor questions, security-questionnaire requests, or any other data-handling inquiry, use the contact form with subject SECURITY. We respond in writing within five business days.