Skip to main content
MavenPay
Sub-Processors

Sub-Processors

The categorical infrastructure backbone behind MavenPay, disclosed at category level

  • Last updated ·
  • Effective from ·
Read in fullReach Compliance
The Short Version

Listed by category: every sub-processor that processes customer data or executes operations on behalf of MavenPay, grouped by function. The named list is held privately and provided to B2B data-controller customers under DPA. Reach compliance@mavenpay.com for the named list.

1. Reading This Page

Each category lists the function of the sub-processor, the jurisdiction it operates from, and the data category it touches.

The named list is held privately. B2B customers under DPA receive the full named list via compliance@mavenpay.com.

Categorical disclosure honours the locked rule that names of third parties stay off the public marketing site.

2. Payments and Settlement

Payments orchestration, fiat to stablecoin settlement, multicurrency accounts. Regulated under multi-jurisdictional money-transmission licensing. Touches transaction amount, currency, counterparty.

Crypto on-ramp and off-ramp for USDC, EURC, USDT. Regulated under multi-jurisdictional money-transmission licensing. Touches transaction amount, asset, counterparty address.

Card-rail layer for live FX rates and card issuance. Global card rail. Touches card number, transaction amount, merchant, MCC.

3. Bank Linking

Bank-account linking, verification, balance reads, transaction history. Regulated under each jurisdiction's data-broker rules. Touches bank-account number, routing number, balance, transaction history.

4. Identity and KYC

Government-ID verification, selfie liveness, address validation, date of birth, ultimate-controller disclosures. Regulated under FINTRAC, GDPR, PIPEDA, PDPA. Touches identity documents and biometric verification artefacts.

5. Travel and Concierge

Premium aviation inventory, pricing, and routing. Touches flight itinerary, passenger name, payment authorisation.

Yacht-charter inventory and booking. Touches charter itinerary, charterer name, payment authorisation.

Flight inventory and booking. Touches flight itinerary, passenger name, date of birth, nationality, payment authorisation.

Hotel inventory and booking. Touches hotel itinerary, guest name, special requests, payment authorisation.

Airport-transfer inventory and booking. Touches pickup and dropoff address, passenger name, payment authorisation.

Global eSIM activation. Touches device IMEI, plan selection, payment authorisation.

6. Communications

Transactional and marketing email through the slug-routed sender registry (verify@, support@, billing@, concierge@). Touches email address, message body.

Voice, SMS, MMS for support callbacks, six-digit code backup, concierge calls. Touches phone number, call audio (only on consent-recorded calls), SMS body.

Text-to-speech for live voice agents. Touches text-to-be-spoken (transient, not retained).

Speech-to-text for live voice agents. Touches voice audio (transient, not retained).

Real-time video and voice infrastructure for the concierge desk. Touches video and audio session metadata; media streams are not retained.

Video-avatar rendering for the concierge desk. Touches agent-persona configuration; no customer PII.

7. Observability and Analytics

Event-stream backbone for every audit and telemetry event. Touches aggregated metrics; PII scrubbed before publish.

Analytics-store layer for compliance audit and analytics. Touches aggregated transaction metrics, KYC outcomes, fraud signals (PII-scrubbed under regulator authorisation).

Application-performance and error monitoring. Touches anonymised error stacks; no PII.

Sovereign observability backbone running on operator infrastructure. Touches traces and logs from every service.

8. Security and Fraud

Continuous compliance-evidence collection for SOC 2, ISO 27001, PCI DSS. Touches organisation-level control evidence; no individual customer PII.

File-hash threat intelligence for the security forensics path. Touches file SHA-256 hashes only; no file contents.

Indicator-of-compromise sharing for threat intelligence. Touches indicators of compromise; no customer PII.

Edge security: zero-trust tunnel, WAF, and access controls. Touches visitor IP and user agent (standard CDN headers).

9. Storage and Database

Managed Postgres and Vault for tenant configuration, identity registry, audit logs, prompt templates, agent-passport keys (Vault-encrypted). Touches every customer-facing data category.

Object storage for generated brand assets, period-close PDFs, and KYC documents (encrypted at rest, signed-URL access only). Touches KYC document images.

Relationship-graph layer for identity, control, delegation, compliance. Touches identity and relationship metadata.

Vector-index layer for RAG embeddings. Touches embedding vectors derived from extracted document text.

10. Integrations

500-plus business-tool integrations (accounting, payroll, HR, CRM, communications, code hosting). Touches per-integration data scopes that the customer authorises at OAuth time.

11. Sub-Processor Change Notifications

On any addition, removal, or change of a sub-processor, this page is updated and B2B customers under DPA are notified at least 30 days before the change takes effect (per GDPR Art. 28(2) right to object).

Subscribe at compliance@mavenpay.com to receive sub-processor change notifications by email.

Contact compliance@mavenpay.com to request the named sub-processor list under DPA.

Behind The Rail

Built On A Regulated Canadian Rail

Money Service Business🇨🇦C1000000640FINTRAC-registered
Payment Service Provider🇨🇦Supervised By Bank Of CanadaVerify on Bank of Canada
Reach

Questions about this document? Reach compliance@mavenpay.com.

Document version effective 2026-05-01. Last updated 2026-05-01. Prior versions available on request.