Ruba
Service Providers
Transparency into the cloud infrastructure, data analytics, and specialized technology partners supporting Ruba's global billing engine
To deliver high-availability billing infrastructure, process merchant transactions reliably, and maintain enterprise-grade security across our platform, Ruba engages selected third-party technology vendors and cloud infrastructure partners.
This document provides transparent documentation regarding our authorized service providers, their legal classification as data sub-processors, our rigorous vendor governance standards, and the operational roles they perform within the Ruba ecosystem.
1. Overview of Infrastructure & Service Providers
1.1. Modern Cloud Architecture. Ruba is built upon resilient, distributed cloud computing infrastructure. Rather than operating physical data centers, we partner with world-class cloud hyperscalers, database specialists, and analytical service providers to ensure 99.99% uptime, rapid scalability, and robust data protection. 1.2. Operational Scope. Our service providers assist with database hosting, event stream processing, edge content delivery, transactional email notifications, tax calculation, error monitoring, and customer support ticket orchestration.
2. Definition & Legal Classification of Sub-Processors
2.1. GDPR & Privacy Frameworks. Under the European Union General Data Protection Regulation (GDPR) and UK GDPR, third-party entities engaged by a data processor (such as Ruba) who process personal data on behalf of subscribing merchants (data controllers) are classified as Sub-processors. Under U.S. State Privacy Laws (including the California CCPA/CPRA), these entities are classified as Service Providers or Contractors. 2.2. Strict Purpose Limitation. Sub-processors and Service Providers are legally authorized to ingest, host, or process personal data strictly upon Ruba’s documented instructions and solely for the operational purpose of rendering their contracted infrastructure services. They are strictly prohibited by contract and law from selling, sharing, or utilizing personal data for independent commercial marketing or behavioral profiling.
3. Rigorous Due Diligence & Vendor Governance
3.1. Pre-Onboarding Evaluation. Before onboarding any new technology vendor or sub-processor, Ruba conducts a multi-faceted security, legal, and operational risk assessment. We evaluate the vendor's system architecture, data isolation controls, vulnerability management protocols, and regulatory compliance standing. 3.2. Contractual Data Protection Agreements. Ruba executes formal, written Data Processing Agreements (DPAs) with every sub-processor. These contracts flow down all mandatory data protection obligations, ensuring that our vendors are legally bound to security standards no less rigorous than those stipulated in Ruba's own customer agreements. 3.3. International Transfer Safeguards. Where a sub-processor processes or hosts personal data outside of the European Economic Area (EEA), Switzerland, or the United Kingdom, Ruba mandates the execution of approved international transfer mechanisms, such as the European Commission’s Standard Contractual Clauses (Module 3: Processor to Processor) and the UK International Data Transfer Addendum.
4. Ruba Vendor Security Practices
We enforce stringent security requirements across our entire vendor supply chain. Our sub-processors must continually satisfy the following operational standards:
- Security Certifications: Vendors hosting critical databases or processing sensitive customer data must maintain independent industry certifications, including SOC 2 Type II and ISO/IEC 27001 attestations, which Ruba reviews on an annual cycle.
- Cryptographic Protection: All data transmitted between Ruba servers and vendor infrastructure must be encrypted in transit using TLS 1.2 or higher. All customer records, backups, and log files stored on vendor servers must be encrypted at rest using AES-256 encryption.
- Least-Privilege Access: Vendors must enforce strict role-based access controls (RBAC), multi-factor authentication (MFA), and zero-standing privilege policies for their engineering personnel. Vendor staff are prohibited from accessing Ruba production data without explicit, time-bound administrative authorization.
- Vulnerability & Incident Management: Vendors must conduct regular penetration testing and vulnerability scanning. Furthermore, vendor contracts mandate immediate notification (within 24 to 48 hours) in the event of any confirmed security incident or unauthorized access impacting Ruba data.
5. Authorized Sub-Processors & Service Providers
The following table lists Ruba's currently authorized sub-processors, the categories of data they process, their specific operational purpose, and their geographic processing locations:
| Vendor Entity | Data Categories Ingested | Purpose of Processing & Platform Role | Processing Location |
|---|---|---|---|
| Render Services, Inc. | Merchant products, customer profiles, subscriptions, orders, and financial transaction records | Core cloud computing infrastructure and database hosting for billing engine features | United States |
| Tinybird, Inc. | Real-time customer event streams and webhook telemetry | High-throughput data ingestion, usage-based billing analytics, and event aggregation | United States |
| Amazon Web Services, Inc. (AWS) | Product images, customer invoices, static assets, and system audit logs | Object storage (S3), secure invoice archival, and historical log retention for security auditing | United States |
| Vercel, Inc. | End-user browsing interactions, session metadata, and HTTP request headers | Edge network routing, frontend dashboard hosting, and serverless API execution | Distributed / Global |
| Plus Five Five, Inc. (Resend) | Merchant email addresses and end-user customer email addresses | Dispatching transactional emails, invoice receipts, subscription alerts, and verification codes | United States |
| Stripe, Inc. | Customer email addresses, billing addresses, tax IDs, and payment transaction metadata | Payment processing, merchant settlement, checkout orchestration, and tax remittance | United States / Global |
| Numeral Two, Inc. | Customer billing addresses, country codes, and business tax identification numbers | Real-time global VAT, GST, and sales tax calculation and compliance compliance | United States |
| Jade Technologies Ltd (ChargebackStop) | Customer payment transaction metadata and dispute notifications | Monitoring credit card chargebacks, automated dispute representation, and fraud alerts | United Kingdom |
| PostHog, Inc. | User email addresses, dashboard interaction events, and usage analytics | Product analytics, feature flag management, and platform UX optimization | United States |
| Functional Software, Inc. (Sentry) | Exception stack traces, user email addresses, and browser device metadata | Real-time application exception tracking, crash reporting, and debugging | United States |
| Pydantic Services, Inc. (Logfire) | Application telemetry, request traces, and system performance logs | Engineering performance monitoring, observability, and structured log analysis | United States |
| Not Just Tickets Ltd (Plain) | Merchant email addresses, customer names, and support message transcripts | Customer support ticketing, helpdesk communications, and issue resolution | United Kingdom |
6. Subscription to Updates & Notification Protocol
6.1. Dynamic Supply Chain. As our technology stack evolves, we may onboard new service providers to enhance platform performance, expand into new geographic regions, or consolidate infrastructure. 6.2. 30-Day Advance Notice. In accordance with our Data Processing Addendum (DPA), Ruba commits to providing subscribing merchants with at least thirty (30) days' advance written notice before authorizing any new sub-processor to access or process Covered Data. 6.3. Email Notifications. Merchants will receive automated email alerts sent to their primary account administrative contact whenever updates are made to our sub-processor roster. During the 30-day notice window, merchants hold the right to submit substantiated, data-protection-based objections as outlined in our DPA.
7. Contact & Inquiries
If you have questions regarding our vendor governance practices, data processing agreements, or specific sub-processor security controls, please reach out to our team:
- General & Vendor Inquiries: support@getruba.com
- Privacy & Compliance Team: privacy@getruba.com