Sub-processors
Last updated: 2026-05-10
What this page is
A sub-processor is a third-party service that processes Recursive customer data on our behalf. Under standard data-protection terminology, Recursive is the "controller" of the data; each sub-processor below is a "processor" acting on our instructions, bound by a Data Processing Agreement (DPA) that prohibits independent use of the data and requires equivalent security controls.
Per Privacy Policy §5.5, this list is published as part of our COPPA notice obligation. We update it whenever the production stack changes, and we send notice to account holders per Privacy Policy §11 when a material change occurs.
Who these sub-processors serve
All sub-processors below process data for every Recursive customer category — adult account holders, parents and guardians, coaches, club administrators, and the minor athletes whose information appears via adult action. None of the sub-processors below process children's data for any purpose other than supporting the platform's operation; none use the data for advertising, targeting, profiling, or independent commercial activity. Each is bound by a DPA with terms equivalent to or stricter than COPPA's reasonable-security obligations.
If you have questions about any sub-processor, contact us — operator contact information is published in Privacy Policy §1. The COPPA FAQ permits us to consolidate parental-inquiry contact to Recursive Creations alone, and we field every inquiry directly.
Current sub-processors
| Sub-processor | Purpose | Data processed | Region | DPA / security |
|---|---|---|---|---|
| DigitalOcean (hosting) | Application hosting, compute, network | All platform data in transit; persistent storage of user data including children's records | United States (New York — NYC3) | digitalocean.com/legal/data-processing-agreement |
| DigitalOcean Managed PostgreSQL (database) | Persistent database for users, teams, games, events | All platform records including children's data | United States (New York — NYC3) | digitalocean.com/legal/data-processing-agreement |
| Resend | Transactional email delivery (verification, password reset, deletion confirmations, notifications) | Email addresses, email subject + body content (incl. one-time tokens) | United States | resend.com/legal/dpa |
| Sentry (error monitoring) | Aggregated error reporting and platform observability | Stack traces; may incidentally include user external IDs (UUIDs); never includes PII fields | United States | sentry.io/legal/dpa |
| DigitalOcean Spaces (encrypted backup storage) | Encrypted database backups for disaster recovery | Encrypted snapshots of production data, including children's records | United States (New York — NYC3) | digitalocean.com/legal/data-processing-agreement |
We do not currently use any third-party advertising network, analytics SDK that sends data to ad networks, or social-media tracking pixel. The platform's commitment in Privacy Policy §4 ("What we do not do") is a design constraint enforced at the code level: no such SDKs are installed, and adding any would trigger a re-validation of this list and an updated direct notice to account holders per Privacy Policy §11.
Notification of changes
When this list changes — a new sub-processor is added, or an existing one is replaced — we update this page and notify account holders by email within 30 days, per Privacy Policy §11. If a parent objects to a new sub-processor's involvement with their minor child's data, the parent may exercise the deletion right described in Privacy Policy §5.6.
Contact
Questions about any sub-processor or about how we process data: see Privacy Policy §1 for full operator contact information, or email [email protected]. We respond within 5 business days.