Sub-Processor Register
Purpose
This register exists for three audiences:
- Subscribers — to know exactly which third parties have access to their personal data and where that data is stored.
- Mexican regulators (INAI) — as the operative documentation supporting our compliance with LFPDPPP Article 36 (international transfer) and the responsable's general duty to maintain a record of processing activities under Mexican data-protection law.
- Counsel and auditors — to verify that contractual safeguards are in place with each sub-processor and that the documented purposes match actual data flows.
We (Jaime Muriel Monroy) act as responsable del tratamiento (data controller) under LFPDPPP. The sub-processors below act as encargados (data processors) and process personal data only on our documented instructions.
Current sub-processors
As of the effective date, the following sub-processors handle personal data on our behalf:
1. Clerk
| Legal entity | Clerk Inc. |
| Service | User authentication and session management |
| Personal data processed | Email, name, optional profile photo, hashed password (when password auth is used), OAuth tokens, IP address, user-agent, session timestamps |
| Storage location | United States (Clerk's primary data centers) |
| Transfer mechanism | Standard contractual safeguards in Clerk's DPA, equivalent to LFPDPPP Article 36 "principio de protección suficiente" |
| DPA reference | Clerk Customer Terms of Service + Data Processing Addendum, accepted in connection with Dardo's account onboarding |
| Sub-sub-processors | Clerk's documented sub-processors as listed at clerk.com/legal/dpa |
| Retention | Per Dardo's instructions: deleted on user account closure plus 12-month grace, except for items required by law (audit logs) |
| Critical | Yes — without Clerk, users cannot sign in |
2. Stripe
| Legal entity | Stripe Payments Mexico, S. de R.L. de C.V. (Mexican merchant-of-record functions); Stripe Payments Company (United States, transaction processing) |
| Service | Payment processing, subscription billing, customer billing portal, invoicing |
| Personal data processed | Name, email, billing address, last four digits of payment card, payment-method type, subscription history, invoice records. Full card numbers, CVV, and expiry are never seen by Dardo — they are tokenized inside Stripe's vault. |
| Storage location | United States primarily (Stripe Payments Company); Mexican entity for local merchant-of-record functions |
| Transfer mechanism | Stripe's Data Processing Agreement, with US-transfer safeguards equivalent to LFPDPPP Article 36 "principio de protección suficiente" |
| DPA reference | Stripe Services Agreement + Data Processing Addendum, accepted in connection with Dardo's account onboarding |
| Sub-sub-processors | Per Stripe's published list at stripe.com/legal/privacy-center |
| Retention | Stripe retains transaction records for at least 5 years per their financial-services obligations; Dardo retains invoice metadata for the same period per Código Fiscal de la Federación Article 30 |
| Critical | Yes — without Stripe, no paid subscription can be charged |
3. Resend
| Legal entity | Resend, Inc. |
| Service | Transactional email delivery (welcome, trial-expiring, payment-failed, subscription-confirmed) |
| Personal data processed | Email address, name, transactional email content (subject + body), delivery / open / click telemetry |
| Storage location | United States primarily (Resend's primary region) |
| Transfer mechanism | Resend's DPA with contractual safeguards equivalent to LFPDPPP Article 36 "principio de protección suficiente" |
| DPA reference | Resend Master Services Agreement + Data Processing Addendum, accepted in connection with Dardo's account onboarding |
| Sub-sub-processors | Per Resend's published sub-processor list (current at resend.com/legal) |
| Retention | Email-delivery telemetry retained 90 days then aggregated; email content not stored after delivery |
| Critical | Operationally important but not critical — if Resend fails, transactional notifications are delayed but the Service remains operable |
4. Cloudflare
| Legal entity | Cloudflare, Inc. |
| Service | (a) Web hosting via Cloudflare Pages for the dardoresearch.com frontend; (b) Worker compute for the API backend; (c) D1 (SQLite) for user records and subscription state; (d) KV for content blob storage; (e) edge log retention for security and abuse detection |
| Personal data processed | IP address, user-agent, request paths, timestamps, session cookies (set by Clerk and traversing Cloudflare edge); plus user records in D1 (email, name, tier, subscription dates) |
| Storage location | Global edge — D1 stores in a primary write region assigned by Cloudflare based on first-write location (no Mexican data center is designated as primary), with read replicas at edge locations; Workers and Pages execute at the user's nearest edge POP. KV is replicated globally. Data may transit through US, EU, or other Cloudflare locations depending on routing |
| Transfer mechanism | Cloudflare's Customer Terms + Data Processing Agreement, with cross-border transfer safeguards equivalent to LFPDPPP Article 36 "principio de protección suficiente" |
| DPA reference | Cloudflare Customer Terms + Data Processing Addendum, accepted in connection with Dardo's account onboarding |
| Sub-sub-processors | None — Cloudflare operates its own infrastructure; documented at cloudflare.com/cloudflare-customer-subprocessors |
| Retention | Edge access logs retained 30 days then aggregated; D1 records retained per Dardo's deletion policy in Privacy §7; KV blobs retained per Dardo's content-management policy |
| Critical | Yes — the Service runs on Cloudflare; no fallback hosting |
5. Anthropic
| Legal entity | Anthropic, PBC |
| Service | Generative AI inference (Claude) for daily market briefs, macro reports, and RV signal commentary |
| Personal data processed | None — Anthropic processes only anonymized market analytics (yield curves, signal z-scores, regime states). User identity and subscription details are never sent to Anthropic. The brief/macro generation pipeline is one-shot inference per cron fire and does not persist user-level data. |
| Storage location | United States (Anthropic's API infrastructure) |
| Transfer mechanism | Anthropic Commercial Terms; personal data is not transmitted to Anthropic in any case (the Service sends only anonymized market analytics to Anthropic for brief generation) |
| DPA reference | Anthropic Commercial Terms of Service, accepted in connection with Dardo's account onboarding |
| Sub-sub-processors | Anthropic's documented infrastructure providers; current list available at anthropic.com/legal |
| Retention | Zero — API calls are not retained beyond the inference response per zero-retention mode |
| Critical | Operationally important but not strictly personal-data critical — Anthropic does not see personal data; if Anthropic is unavailable, daily briefs/macros are not generated but the Service's analytical surfaces remain operable |
Sub-processors NOT used
For clarity and to forestall future questions, the following common SaaS sub-processors are not used by Dardo:
- No analytics SDKs (no Google Analytics, no Mixpanel, no Amplitude, no Segment, no PostHog)
- No advertising or marketing platforms (no Meta Pixel, no Google Ads, no LinkedIn Insight)
- No customer-support platforms (no Intercom, no Zendesk, no Crisp) — support is via direct email to [email protected]
- No CRM (no Salesforce, no HubSpot)
- No session-replay tools (no FullStory, no Hotjar, no LogRocket)
- No third-party error monitoring sending personal data (no Sentry user-context, no Datadog APM personal fields)
- No third-party comments, chat widgets, or social-media embeds
The Service explicitly avoids these to minimize data exposure and simplify regulatory posture. Adding any such processor in the future would require updating this register, providing 30-day notice per Privacy §12, and contractual review.
Adding or changing sub-processors
A new sub-processor or material change in an existing sub-processor's scope is a material change to data processing and triggers:
- Internal review — verify a current DPA exists or is executable, that the processor's data-protection commitments meet LFPDPPP Article 36 standards, and that the purpose is necessary.
- 30-day advance notice to all active subscribers via email and an in-Service notice, per Privacy Policy §12.
- Update to this register — bump version, add an entry, update the effective date.
- Right of objection — subscribers who object to a new sub-processor may cancel their subscription; the change does not retroactively affect data already processed under the prior register.
Emergency changes (e.g., a sub-processor experiencing a security incident requiring immediate replacement) may be made without 30-day notice but require notice within 30 days after the change and full disclosure of the rationale.
Sub-processor data flow summary
The end-to-end flow for personal data through these sub-processors:
[Subscriber] ─sign-up─▶ [Clerk] (auth, identity)
│ │
│ └─webhook─▶ [Cloudflare D1] (Dardo user record)
│
├─subscribe─▶ [Stripe] (billing, payment method)
│ │
│ └─webhook─▶ [Cloudflare D1] (subscription state)
│
├─uses Service─▶ [Cloudflare Pages + Workers + KV]
│
└─receives email─▶ [Resend] (transactional only)
[Cron]─▶ [Anthropic] (anonymized analytics in, brief content out)
│
└─writes─▶ [Cloudflare KV] (content blobs read by all subscribers)No personal data flows to Anthropic. Anthropic receives only aggregated market analytics produced by Dardo's pipeline.
Audit and verification
DPAs with each sub-processor are maintained in Dardo's internal records and are available for INAI inspection on reasonable notice. Each DPA is reviewed at least annually for material changes by the sub-processor and re-executed if required.
A copy of the most recent version of this register is maintained at dardoresearch.com/sub-processors for subscriber reference.
Document v1.0 published 2026-05-10. Companion to Privacy Policy v1.0. Next review: 12 months from publish, on any sub-processor change, or sooner if a material change is required.