Sub-processors
Sub-Processor Policy
Casa Fran Concepts LLC - founder/mode
Contact: [email protected]
Effective date: October 16 2025
1 Purpose
This policy explains how Casa Fran Concepts LLC (“we,” “us,” “our”) engages and manages third-party service providers (“sub-processors”) that process limited data on behalf of our Slack app {App Name}.
We maintain strict security and privacy standards consistent with GDPR, CCPA, and Slack Marketplace requirements.
2 Definition
A sub-processor is any external vendor that processes workspace or user data to help us deliver, maintain, or support {App Name} (for example hosting, email delivery, or AI processing).
3 Our Standards
We only use sub-processors that:
Maintain independent security certifications (ISO 27001, SOC 2 Type II or equivalent).
Sign a Data Processing Agreement (DPA) with Casa Fran Concepts LLC including confidentiality, breach-notification, and data-protection terms.
Process data solely to perform contracted services; no sub-processor may use Slack data for advertising, analytics, or AI training.
Support encryption in transit (TLS 1.2+) and at rest (AES-256).
Provide evidence of controls through periodic audits or attestations.
4 Selection and Review
Before onboarding any sub-processor we evaluate:
Type and sensitivity of data processed
Hosting region and transfer mechanisms
Security architecture and incident response capabilities
Legal compliance (GDPR/CCPA/SCCs)
We review vendors annually and off-board any that fail to maintain our standards.
5 Data Access and Minimization
Each sub-processor receives only the minimum data necessary to perform its role and only for the duration of the engagement.
All access is logged, encrypted, and revoked when no longer required.
6 Encryption and Storage
All communications between Casa Fran Concepts LLC and its sub-processors use TLS 1.2 or higher; all stored data is encrypted with AES-256 or better.
Backups are encrypted and automatically purged after 35 days.
7 International Transfers
Where data leaves the customer’s region, we rely on approved safeguards such as:
EU Standard Contractual Clauses (SCCs)
Data Privacy Framework (for U.S. entities)
Regional hosting options when available
8 Notification of Changes
We publish updates at https://tryfoundermode.com/subprocessors and, if required, notify customers at least 30 days before adding a new sub-processor.
Continued use after the notice period constitutes acceptance.
9 Customer Rights
Workspace admins may:
Request the current sub-processor list and processing locations
Object to a new sub-processor on reasonable grounds by emailing [email protected] within the notice period
Request details of vendor due diligence records or DPAs
We will work in good faith to find an alternative solution or terminate the sub-processor if necessary.
10 Current Sub-Processors
Category | Vendor | Purpose | Data Region | Retention |
|---|---|---|---|---|
Infrastructure & Security | Cloudflare, Inc. | Web application firewall, DDoS protection, and edge caching | Global PoPs / U.S. HQ | Up to 30 days (logs) |
Transactional Email | Resend, Inc. | Sends system and notification emails to users | U.S. | As needed for delivery (<30 days) |
Email Marketing & Lifecycle | Loops Inc. | Manages opt-in email communications and product updates | U.S. / EU | Until unsubscribe or workspace deletion |
AI Processing | OpenAI LLC | Processes LLM requests for AI features (with zero-retention mode enabled) | U.S. / EU (Azure OpenAI regions as applicable) | 0–30 days per provider settings |
Database & Admin Interface | Motor Admin Inc. | Secure internal database management and admin dashboards | U.S. | Same as primary database (≤30 days after uninstall) |
All vendors encrypt data in transit and at rest and are bound by DPAs with Casa Fran Concepts LLC.
11 Contact
For questions about this policy or our vendors:
Casa Fran Concepts LLC
Attn: Data Protection Officer
[email protected]