Sub-Processor List

Third parties that process data on behalf of Common Identity. Last updated: March 2026.

Under GDPR Article 28, we maintain a list of sub-processors who process personal data on our behalf. We notify users of changes to this list via updates to this page.

Sub-Processor	Purpose	Data Processed	Location	DPA Status
WAM GPU Service	Neural watermark embedding and detection	Image and video bytes (in memory only, not persisted to disk)	US (cloud GPU)	Internal service, covered by organizational security policies
Google Cloud Storage	Temporary video storage during watermark processing via time-limited signed URLs	Video bytes (temporarily stored, auto-deleted within 24 hours via bucket lifecycle policy)	US (Google Cloud, us-central1)	Google Cloud DPA / Standard Contractual Clauses
Base Blockchain Network	Watermark ID registration and ownership proof	Wallet address, Watermark ID, registration timestamp (permanent, public)	Decentralized (global)	Public infrastructure, no DPA applicable
Privy	User authentication and embedded wallet management	Email address, wallet address, authentication tokens	US	DPA in place
IPFS / Pinata	Decentralized storage for watermarked images (opt-in only)	Watermarked image file (only if user opts in)	Decentralized (global) / US (Pinata gateway)	DPA in place (Pinata)
Upstash Redis	Server-side rate limiting, session caching, and report verification metadata	Rate limit counters (IP-based), session metadata, report metadata (report ID, type, beacon ID, cryptographic hash, signature -- retained for 1 year)	US	DPA in place
CDP Paymaster	Gasless transaction sponsorship for blockchain registration	Transaction payload (wallet address, contract call data)	US	DPA in place

Changes to This List

We will update this page when sub-processors are added, removed, or replaced. Material changes will be noted in the privacy policy changelog. If you have questions about our sub-processors, contact [email protected].