Subprocessors

Last updated: (to be confirmed at release)

In accordance with Section 11 of the Terms of Use and Section 6 of the Privacy Policy, this page lists the subprocessors used to operate the Service.

Current subprocessors

Subprocessor	Purpose	Processing location	Transfer mechanism
Amazon Web Services (Amazon Web Services Japan G.K.)	Static site hosting (Amazon S3 + Amazon CloudFront)	Tokyo region (ap-northeast-1); CDN is global	The AWS Data Processing Addendum (DPA), with the EU Standard Contractual Clauses (SCC) made available by AWS for transfers from the European Economic Area (EEA) and the United Kingdom
Google LLC (Google Fonts)	Web font delivery (M PLUS Rounded 1c / Noto Sans JP / Nunito Sans)	Global CDN	Google's published Google Fonts data handling policy and the EU Standard Contractual Clauses (SCC) made available by Google. IP addresses are transiently obtained during font requests; Google states that this information is not used for profiling or advertising
GitHub, Inc. (Microsoft Corporation)	Source control and CI/CD pipeline (not used for processing personal data itself)	Global	The GitHub Data Protection Addendum (DPA), with the EU Standard Contractual Clauses (SCC) made available by Microsoft / GitHub for EEA / UK transfers

Planned subprocessors

We will add subprocessors below to this page when we deploy them, and will give at least thirty (30) days' notice through the Service and the official website in accordance with Section 8 of the Terms of Use and Section 5 of the Privacy Policy.

Subprocessor	Purpose	Processing location	Transfer mechanism
Amazon Web Services	Shared post image delivery (Amazon S3 + Amazon CloudFront, dedicated bucket `smileprogress-images-*`); to be added together with the iOS sharing implementation	Tokyo region (ap-northeast-1); CDN is global	Same as the AWS DPA / SCC above
Amazon Web Services	Email delivery for deletion-request notifications and contact-form replies (via Amazon SNS Topic and Amazon SES)	Tokyo region (ap-northeast-1)	Same as the AWS DPA / SCC above
Amazon Web Services	Application and backend log / metric monitoring (Amazon CloudWatch)	Tokyo region (ap-northeast-1)	Same as the AWS DPA / SCC above
Google LLC (Google Analytics 4)	Web analytics for the official website; the tag fires only after Cookie consent has been obtained	Global	The Google Ads Data Processing Terms (DPA) and the EU Standard Contractual Clauses (SCC) made available by Google. IP anonymization will be enabled
Apple Inc. (iCloud / CloudKit)	Storing a pseudonymous identifier (owner_id) in the user's iCloud private database so that ownership and the right to delete shared Posts can be carried across devices; to be added together with the iOS owner_id continuity implementation	Apple data centers (including the United States)	Apple's Standard Contractual Clauses (SCC) and data processing terms
Apple Inc. (Sign in with Apple)	Optional sign-in for owner identification (we receive only the pseudonymous identifier (sub) issued by Apple, not the Apple ID itself or your name); to be added together with the iOS owner_id continuity implementation	Apple data centers (including the United States)	Apple's Standard Contractual Clauses (SCC) and data processing terms

Subprocessors under consideration (no current plan to adopt)

We may consider these as user count or scope grows. If adopted, we will add them to this page following the same notification procedure as above.

Error aggregation SaaS (for example, Sentry / Datadog). For now, only Amazon CloudWatch is used

Obligations imposed on subprocessors

The Service Provider contractually requires each subprocessor to comply with the following, as set out in Section 11 of the Terms of Use:

No use beyond the purpose of the engagement
Confidentiality
Appropriate safeguards
Sub-subprocessor management (no further delegation without the Service Provider's prior consent)

Change log

Date	Change
(to be confirmed at release)	Initial publication (AWS / Google Fonts / GitHub)