JetSetGo Sub-processors
Last updated: 2026-05-25
This page lists the third-party vendors ("sub-processors") that JetSetGo LLC engages to process personal data on behalf of its operator-customers. The list is current as at the date above and is the authoritative published list referenced from the JetSetGo Privacy Policy and Data Processing Addendum (DPA).
If you are an operator-customer and want to be notified when this list changes, email privacy@jetsetgo.world and we will add you to the change-notification list. We also notify all active operators by email and an in-product banner of any change, with at least 30 days' notice.
What counts as a sub-processor
Under GDPR Article 28(2), CCPA section 1798.140(ag), POPIA, and the Australian Privacy Act, a sub-processor is any third party engaged by JetSetGo to process personal data on the operator-customer's behalf. The list below includes every vendor that touches operator or traveller personal data — hosting, database, authentication, payments, communications, edge networking.
Current sub-processors
| Sub-processor | What they do for us | Personal data they touch | Legal entity country | Data-residency / processing region |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Primary hosting and infrastructure — EC2 (backend services: FastAPI, Hasura self-hosted, background workers); S3 (object storage); SES (transactional email — booking confirmations, password resets, weather-cancellation alerts); Secrets Manager; CloudFront (CDN); Amplify (build infrastructure) | All operator and traveller personal data passing through the application layer; transactional email content; build artefacts | United States (Amazon Web Services, Inc.) | ap-southeast-2 (Sydney, Australia) for production and backups; some Amplify build infrastructure in US regions |
| Oracle Cloud Infrastructure | Primary production Postgres database | All operator and traveller personal data stored in the primary relational database | United States (Oracle Corporation) | Sydney, Australia |
| Google LLC (Firebase Authentication) | Operator-staff identity / login / SSO support (SAML 2.0 and OIDC) | Email, hashed password, login telemetry of operator staff users (no traveller data) | United States | Multi-region (Google datacentres in US, EU, and Asia per Google Cloud's Auth backend) — Authentication scope only; Firestore is not used |
| Stripe | Payments processing. Stripe is a controller in its own right for fraud, AML, KYC and tax-reporting purposes; listed here for transparency. The operator's contracting entity with Stripe varies by jurisdiction: Stripe Payments Australia Pty Ltd (ABN 41 160 180 343) for AU-resident operators; Stripe Payments Europe Ltd for EU/UK; Stripe, Inc. for the US; the corresponding Stripe entity for other jurisdictions. JetSetGo LLC's platform-level relationship is with Stripe, Inc. (Delaware). | Cardholder data (held by Stripe, not by JetSetGo); payout data; payer identity; fraud-prevention signals | United States (Stripe, Inc.), Ireland (Stripe Payments Europe Ltd), Australia (Stripe Payments Australia Pty Ltd) | US for global controller functions; jurisdiction-specific Stripe entity for the merchant-of-record relationship |
| Twilio, Inc. | SMS and voice messaging — booking notifications, OTPs, weather alerts | Recipient phone number, message content | United States | Routing per recipient country; messaging metadata stored in the United States; Australian endpoints used where available |
| Cloudflare, Inc. | DNS, edge proxy, DDoS protection, rate limiting | Request metadata, IP addresses | United States | Global edge network; metadata and logs in the United States |
How we notify you of changes
JetSetGo will give every active operator at least 30 days' notice of any new or replaced sub-processor by:
- Email to the account-owner
- An in-product banner inside the admin console
- An update to this page (including the "Last updated" date above)
If an operator reasonably objects to a new sub-processor on data-protection grounds within 30 days of notice, the operator may terminate the affected services (or the whole agreement, at their option) without penalty and exercise their data-export entitlement under DPA §12. See DPA §6 for the full mechanics.
Sub-processors we have stopped using
This section will list sub-processors that JetSetGo previously engaged but no longer does, with the date they were removed, so the history is preserved transparently. None at this time.
Questions
Email privacy@jetsetgo.world.
