Last updated: 2026-05-17
Every third-party vendor that touches data flowing through xrpldashboard. What they see, where they run, and their data-processing agreement. If a row changes, this page changes — there are no silent additions.
How to read this page. "Data they see" describes the maximum scope of data each vendor processes on our behalf — not what they actively store or analyze. xrpldashboard collects no PII (no accounts, no analytics tracker, no marketing list), so the data passing through these vendors is overwhelmingly request metadata and aggregated on-chain figures. The detail is in /privacy.
| Vendor | Purpose | Region | Data they see | DPA |
|---|---|---|---|---|
| Cloudflare | DNS, CDN, WAF, DDoS absorption, TLS termination | Global (anycast edge) | Request metadata: client IP, user agent, requested path, response status. Cached static assets only — no HTML caching. | DPA → |
| Render | Application hosting (Flask app behind Cloudflare) | United States | Request metadata forwarded from Cloudflare. Container logs (standard request log + stderr). No write access from the public web. | DPA → |
| Neon | Managed Postgres for time-series and aggregate XRPL data | United States (Ohio) | Aggregated on-chain figures (whale events, pool rollups, snapshot metadata, MPT registry). No PII; no per-visitor data. | DPA → |
| Brevo | Outbound SMTP for replies from contact@xrpldashboard.com | European Union | Sender, recipient, and message body of outbound email replies sent from our contact address. Inbound mail does not pass through Brevo. | Legal → |
| Squarespace | Inbound email forwarding for contact@xrpldashboard.com | United States | Inbound email envelope + body, forwarded to a single operator inbox. No mailbox storage of forwarded mail beyond transit. | Legal → |
| BetterStack | Uptime monitoring and on-call paging | European Union | Health-check request metadata (timing, response code) for a small set of public endpoints. No request bodies, no user traffic. | Legal → |
| Backblaze B2 | Nightly encrypted backup of source directories (rclone with client-side crypt) | United States | Encrypted blobs only. Backblaze holds ciphertext and cannot decrypt; the encryption key is held off-platform by the operator. Object metadata visible to Backblaze is limited to size, modification time, and bucket path. | Legal → |
Links labeled "DPA" go directly to the vendor's published data-processing agreement. Links labeled "Legal" go to the vendor's legal index — the DPA is reachable from there but not at a stable canonical URL. If a link 404s, email contact@xrpldashboard.com and we'll update the row.
If we add or replace a subprocessor, the change lands on this page in the same deploy. There is no separate vendor list, no internal-only ledger. The "last updated" timestamp at the top reflects the most recent edit. If you want a heads-up before a change goes live, email us and ask to be CC'd.