SUB-PROCESSOR APPENDIX
Last updated: July 6, 2026
This Sub-processor Appendix supplements the Lasso Terms of Service and Privacy Policy.
Lasso uses sub-processors and other third-party providers to provide, secure, support, monitor, analyze, and operate the Services. Some providers act as Lasso sub-processors. Other providers act as Merchant-directed providers, independent controllers, businesses, or third parties depending on the integration mode, feature, and provider terms.
Lasso may update this Appendix in accordance with the sub-processor notice and objection process in the Terms of Service.
Current Providers
Service category | Current vendor examples | Purpose | Data categories | Role |
Payment orchestration | Gr4vy | Payment authorization, capture, refunds, and dispute handling | Tokenized payment method, transaction amount, currency, buyer ID, billing address | Sub-processor or independent provider depending on integration mode |
Marketplace payments and payouts | Whop | Marketplace-model merchant payout processing | Buyer email/name, payment records, OAuth identity, business KYC data | Sub-processor or independent provider depending on integration mode |
Transactional email | Resend | Order, verification, and account-related emails | Recipient email, name, store name, order number, verification codes | Sub-processor |
Infrastructure, storage, and queues | Amazon Web Services | Event processing, storage, queues, infrastructure, and operational monitoring | Webhook payloads, async job payloads, application logs, Customer Personal Data as needed | Sub-processor |
Security and network protection | Cloudflare | WAF, DDoS protection, application security scanning, and network protection | HTTP request data, IP addresses, user-agent strings | Sub-processor |
Error monitoring and debugging | Sentry | Error monitoring and application debugging | Error messages, stack traces, session IDs, IP addresses, user-agent strings, page context | Sub-processor |
Infrastructure monitoring and observability | Grafana Cloud | Infrastructure monitoring, logging, and observability | Application logs, metrics, performance data, request metadata | Sub-processor |
Product analytics | PostHog | Product analytics and behavioral event tracking | Page visits, click events, session data, user properties, behavioral events | Sub-processor |
Address autocomplete | Google Places API | Address autocomplete and address validation at checkout | Partial address input, validated address responses | Sub-processor or independent provider depending on Google API terms and configuration |
Web content extraction | Firecrawl | Web content extraction for store and content generation features | URLs and extracted web content | Sub-processor |
AI / LLM services | Anthropic | AI-assisted store and content generation features | Merchant-supplied prompts, product copy, URLs, generated content | Sub-processor |
LLM observability | Langfuse | LLM observability, debugging, and monitoring | LLM prompts, outputs, metadata, logs, and related observability data | Sub-processor |
Identity resolution | Persistent, IntentWave | Optional identity resolution for enabled merchants | Hashed email, hashed phone, device fingerprint, IP address, user-agent, behavioral signals, resolved identity records returned | Sub-processor for data flowing through Lasso checkout; independent controller/business for provider’s own identity graph or data graph |
Offer network and post-purchase monetization | Rokt, AfterSell | Optional third-party offers, offer selection, personalization, measurement, attribution, optimization, and monetization | Product category, order value, cart composition, shopper context signals, offer engagement events | Independent controller/business/third party for Offer Network Services |
Commerce platforms | Shopify, WooCommerce | Order sync, commerce platform integrations, fulfillment support | Order details, customer contact information, fulfillment details, product information | Merchant-directed provider |
Merchant-connected email service providers | Klaviyo and future merchant-connected ESPs | Abandoned cart recovery, post-purchase email flows, and merchant-directed marketing communications | Customer email, name, cart contents, locale, order totals | Merchant vendor, not Lasso sub-processor |
Merchant-connected advertising platforms | Meta, Google, Taboola, TikTok, and similar merchant-connected ad platforms | Conversion measurement and ad attribution through merchant-connected ad accounts | Hashed email/phone, IP address, user-agent, shipping address, cart contents, order value, click IDs | Merchant vendor and independent controller/business under platform terms, not Lasso sub-processor |
Tax classification | Avalara | Sales tax classification of merchant products | Product catalog data | Sub-processor |
Customer support tooling | Intercom, Zendesk | Merchant customer support inbox operations and support communications | Ticket content, attachments, customer name and email | Sub-processor |
International Transfer Safeguards
Where required, Lasso uses appropriate transfer safeguards for international transfers, including adequacy decisions, EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the UK International Data Transfer Agreement, Swiss adaptations, or other lawful transfer mechanisms.
Sub-processor Notice
Lasso will provide at least 30 days’ prior notice of any new or replacement sub-processor by updating this Appendix, posting in the dashboard, sending email notice, or using another reasonable notice method. Merchant may object on reasonable data protection grounds as described in the Terms of Service.
