Trust Centre

Sub-processors

Every category of third party that touches Crescender data: what they see, where they operate, and the contract they sit under. Bound by Data Processing Addenda; changes announced 30+ days in advance.

Why we publish categories, not vendor names

A SaaS platform is never just one company’s infrastructure: every modern product runs on a layer of third-party services. Schools, enterprises, and privacy- conscious users want to know who those third parties are, what they see, and where they operate.

We publish the categories of sub-processor publicly so the shape of our data flow is fully visible. Specific vendor identities for security-sensitive layers (cloud database, hosting, diagnostics) are disclosed to schools and enterprises under our Data Processing Addendum. The DPA is available on request: email hello@crescender.com.au. This pattern follows ISO 27701’s minimisation principle for operational-dependency disclosure.

Current sub-processor categories

Cloud database, authentication, storage, edge functions

Purpose: Primary platform for application data, account credentials, file storage, and serverless functions

Region: Australia. Globally recognised public cloud infrastructure; data is not replicated to other regions.

Data access: All user data we store

User data does not leave Australia for storage.

Web + edge hosting

Purpose: Serves the marketing site (www.crescender.com.au) and the authenticated web app (app.crescender.com.au)

Region: Australia (edge presence)

Data access: HTTP request metadata; no user data stored

Application diagnostics (crash + error telemetry)

Purpose: Stack traces, transaction timings, device metadata

Region: Global infrastructure (United States primary)

Data access: Anonymous user IDs only; no PII or user content

No PII, no user content, no children's data. Session replay product is not enabled.

Payment processing (Stripe)

Purpose: Card capture, charge, settlement, refund

Region: Global infrastructure; Stripe holds an independently audited PCI-DSS Level 1 certification

Data access: Card data lives entirely on Stripe's side; we hold only an opaque Stripe customer identifier

Stripe is named publicly because it appears in the checkout UI users transact through. The PCI-DSS certifiability we claim under /trust/compliance is inherited from this relationship.

Mobile push notifications (iOS)

Purpose: Delivery of push notifications to iOS devices

Region: Provider regional infrastructure

Data access: Device push tokens; short notification payloads

Mobile push notifications (Android)

Purpose: Delivery of push notifications to Android devices

Region: Provider regional infrastructure

Data access: Device push tokens; short notification payloads

Mobile build + over-the-air updates

Purpose: Compilation pipeline + OTA JS bundle delivery

Region: United States

Data access: Builds + OTA bundles only; no user runtime data

Transactional email delivery

Purpose: Verifications, password resets, deletion-grace reminders, school invitations

Region: Global infrastructure (United States primary)

Data access: Email to/from addresses; email body; no other user data

When the list changes

Adding a new sub-processor that materially changes our data flow (e.g. introducing a new region of processing, or a new category of user data passing through a third party) requires:

  • 30 days notice on this page before the change takes effect.
  • Direct notice to school-tier customers with active DPAs; they may object via the DPA mechanism.
  • Explicit opt-in for materially data-sensitive additions (e.g. anything involving children’s data passing through a new processor).
  • In-app notice to consumer-tier users for additions that affect their data flow.

Removing a sub-processor (consolidation, switching providers) is announced on the same page but doesn’t carry the same 30-day notice requirement: by definition, the user’s data is reaching fewer third parties.

Categories we don’t use

For completeness, the following classes of sub-processor are not used in My Crescender Family or child-facing surfaces:

  • Advertising networks. My Crescender Family and child-facing surfaces do not include advertising SDKs. Other Crescender products may include advertising for non-paying users, but child data is not used for ad targeting.
  • Behavioural analytics that profile users. No third-party session-replay, heatmap, or user-profiling analytics products are used in any Crescender product. Aggregate metrics are computed from our own database.
  • Data brokers. No third parties receive user data for their own use, only as a sub-processor acting on our instructions.
  • External AI providers receiving user content without consent. The Clavet songwriting product uses AI assistance under privacy-preserving terms; the specific AI sub-processor category and the privacy contract it operates under are documented on the Clavet page. No other product currently sends user content to an external AI provider.
← Trust CentreSecurity controls →Privacy posture →

Last updated: 27 May 2026

Sub-processors | categories, regions, and what they see | Crescender