This Subprocessor List (this “Subprocessor List” or this “List”) describes the third-party service providers that Cornerstone Strategy LLC (doing business as Route X; “Route X,” “we,” or “us”) uses or may use to provide, operate, protect, support, and improve Route X's website, web application, services, features, integrations, and related tools (collectively, the “Services”).
This Subprocessor List supplements Route X's Data Processing Addendum (“DPA”), Privacy Policy, Terms of Service, Security Overview, and applicable written agreements between Customer and Route X, and should be read together with those documents.
1. Purpose
This Subprocessor List identifies the third-party service providers that Cornerstone Strategy LLC uses or may use to provide, operate, protect, support, and improve the Services. The List is designed to allow Customers (including coaching firms, enterprise customers, organization administrators, legal, HR, and IT personnel) to identify third parties that may process Customer Personal Data on behalf of Route X.
In this Subprocessor List, “Subprocessor” means a third-party service provider that Route X engages to process Customer Personal Data in connection with the Services. Some providers listed may not directly process Customer Personal Data but support the operation of the Services in a manner relevant to Customer's assessment.
Terms used in this Subprocessor List but not defined herein shall have the meanings given in the DPA or the applicable Agreement.
2. Data Processing Addendum Relationship
This Subprocessor List supplements Route X's Data Processing Addendum and is incorporated into, or read together with, the DPA. Where a DPA has been entered into between Customer and Route X, or where the DPA is incorporated into the Agreement, this List forms part of the disclosure Route X provides regarding Subprocessors.
In the event of any conflict between this Subprocessor List and the DPA regarding the processing of Customer Personal Data, the DPA shall prevail. However, specific Subprocessor information in this List may be updated from time to time in accordance with the methods described in Section 8 (Updates and Notifications).
This Subprocessor List is also related to the Privacy Policy, Terms of Service, and Security Overview, but its primary purpose is disclosure regarding Subprocessors. For a broader description of how Route X processes Personal Data or approaches security, please refer to those documents.
3. Current Subprocessors
The table below lists the Subprocessors Route X uses or plans to use, where applicable. Some entries are listed as categories because specific providers may vary or are not yet confirmed. The Status column indicates whether the provider is "Used or planned," "If enabled," or "To be confirmed."
| Subprocessor | Category | Feature | Purpose | Data Processed | Region | Status |
|---|
| MongoDB Atlas or similar managed database provider | Database / Data Storage | Core application database | Application database hosting and storage | Account data, user profiles, org data, client records, coaching records, booking data, subscription status, app metadata | To be confirmed | To be confirmed |
| AWS or similar cloud infrastructure / file storage provider | Cloud Infrastructure / File Storage | File uploads, shared materials, storage infrastructure | File storage, uploaded materials, storage infrastructure and related cloud services | Uploaded files, shared materials, file metadata, storage identifiers, access logs, technical metadata | To be confirmed | Used or planned |
| Stripe | Payment Processing | checkout, subscriptions, billing portal, invoices, payment methods | checkout, subscriptions, payment methods, invoices, billing portal, payment security and fraud prevention | Billing contact info, payment identifiers, customer ID, subscription status, invoice data, transaction metadata. Route X does not store full payment card numbers. | To be confirmed | Used or planned |
| Google | Authentication / Calendar / Meeting Integration | Google OAuth, Google Calendar, Google Meet (if enabled) | Google OAuth, Google Calendar availability, calendar event creation, Google Meet link generation if enabled | OAuth identifiers, calendar availability metadata, calendar event metadata, meeting link metadata, integration status | To be confirmed | Used or planned |
| Microsoft | Calendar / Microsoft Graph Integration | Outlook Calendar, Microsoft Graph, Microsoft Teams (if enabled) | Outlook Calendar availability, Microsoft Graph integration, calendar event creation, possible Microsoft Teams workflows | OAuth identifiers, calendar availability metadata, calendar event metadata, integration status | To be confirmed | Used or planned |
| Zoom | Video Meeting Integration | Zoom OAuth, Zoom meeting links | Zoom OAuth, meeting creation, meeting link generation, meeting-related integrations | OAuth identifiers, meeting metadata, meeting links, integration status | To be confirmed | Used or planned |
| email service provider (e.g., Mailgun, Mailjet, AWS SES, SMTP provider or similar) | Email / Communications | OTP, email verification, password reset, booking confirmations, reminders, admin alerts, service communications | OTP, email verification, password reset, booking confirmations, reminders, admin alerts, service communications | Name, email address, email content, delivery metadata, communication logs | To be confirmed | To be confirmed |
| hosting provider (e.g., Vercel, Render, AWS or similar) | Hosting / Deployment | Frontend hosting, backend hosting, deployment, compute, networking, application delivery | Frontend hosting, backend hosting, deployment, compute, networking, application delivery | Technical metadata, IP address, request logs, application logs, limited account or session metadata where applicable | To be confirmed | To be confirmed |
| analytics provider (e.g., Google Analytics or similar, if enabled) | Analytics | Website analytics, product analytics if enabled | Website analytics, product analytics, performance measurement, usage trend analysis | Usage data, device/browser info, pages viewed, event data, approximate location, analytics identifiers | To be confirmed | If enabled |
| error monitoring or security monitoring provider (e.g., Sentry or similar, if enabled) | Monitoring / Error Tracking | Error diagnostics, performance monitoring, security-relevant event tracking if enabled | Error diagnostics, performance monitoring, security-relevant event tracking | Error logs, device/browser metadata, technical diagnostic info, user or account identifiers where applicable | To be confirmed | If enabled |
| customer support provider (e.g., featurebase or similar, if enabled) | Customer Support | Support ticket handling, customer communication, troubleshooting if enabled | Support ticket handling, customer communication, troubleshooting | Contact info, support messages, account metadata, issue details | To be confirmed | If enabled |
Specific providers within each category may change over time. Where a provider is listed as a category (e.g., "email service provider"), Route X may select or change specific providers within that category in accordance with Section 8.
4. Function-Based Subprocessors
The table below maps the main features of the Service to the Subprocessor categories associated with those features. Not all categories are used for all Customers or features.
| Feature | Subprocessor Categories | Example Providers | Notes |
|---|
| Account Registration and Login | Hosting / Infrastructure, Database, Authentication, Email / Communications | Vercel, Render, AWS, MongoDB Atlas, Google (OAuth), Microsoft (OAuth), email service provider | Used for account registration, user authentication, and delivery of authentication or password reset messages. |
| Core Application Database | Database, Hosting / Infrastructure | MongoDB Atlas or similar, AWS or similar | Stores accounts, organizations, coaching, scheduling, billing identifiers, and related metadata. |
| Client and Coaching Management | Database, Hosting / Infrastructure, File Storage | MongoDB Atlas, AWS, similar providers | Supports client records, coaching session logs, goals, action items, reflections, and growth records where applicable. |
| Scheduling and Booking | Database, Hosting / Infrastructure, Calendar Integrations, Email / Communications | MongoDB Atlas, AWS, Google, Microsoft, email service provider | Supports availability calculation, booking workflows, and confirmation or reminder notifications. |
| Calendar Integration | Calendar Integrations | Google (Google Calendar), Microsoft (Outlook Calendar, Microsoft Graph) | Used for availability lookup and calendar event creation or update per user instructions acting through the Service. |
| Video Meeting Integration | Video Meeting Integrations | Zoom, Google Meet, Microsoft Teams (if enabled) | Supports meeting link generation and video meeting workflows. |
| Payments and Subscriptions | Payment Processing | Stripe | checkout, billing portal, payment methods, invoices, subscription status, and related processing. Route X does not store full payment card numbers. |
| File Uploads and Shared Materials | File Storage, Hosting / Infrastructure | AWS S3 or similar, Vercel, Render, similar providers | Used for storing uploaded files and shared materials under access controls implemented within the Service, where applicable. |
| Email Notifications and Reminders | Email / Communications | Mailgun, Mailjet, AWS SES, SMTP provider or similar | OTP, password reset, booking confirmations, reminders, admin or service communications delivery. |
| Analytics (if enabled) | Analytics | Google Analytics or similar | Used for measuring website or product usage, performance, and trends if enabled. |
| Error Monitoring and Support (if enabled) | Monitoring / Error Tracking, Customer Support | Sentry or similar, featurebase or similar | Used for identifying and resolving technical issues and handling customer support communications if enabled. |
5. Subprocessor Categories
The table below summarizes the categories of Subprocessors Route X uses or may use, and the purposes providers in each category may serve.
| Category | Purpose |
|---|
| Hosting / Infrastructure | Hosting, compute, networking, deployment, application delivery |
| Database | Application database hosting and storage |
| File Storage | Uploaded files, shared materials, storage infrastructure |
| Payment Processing | checkout, subscriptions, billing portal, payment methods, invoices, fraud prevention |
| Authentication | Login, OAuth, account authentication, identity workflows |
| Calendar Integrations | Availability lookup, scheduling, calendar event creation, modification, cancellation |
| Video Meeting Integrations | Meeting link creation and video meeting workflows |
| Email / Communications | OTP, password reset, registration emails, booking confirmations, reminders, support emails |
| Analytics | Website analytics, product analytics, usage trends, performance measurement if enabled |
| Monitoring / Error Tracking | Error diagnostics, system reliability, performance, security-relevant event monitoring |
| Customer Support | Support communications, customer inquiry handling, issue resolution, ticketing |
6. Subprocessors Data Processed by Subprocessors
Depending on the relevant feature or service, Subprocessors may process the following categories of data where applicable:
- Account information
- Name and email address
- Organization or company information
- Roles, titles, user types
- Authentication identifiers
- Client and contact records
- Coaching relationship information
- Session dates/times and related metadata
- Booking and scheduling information
- Calendar availability metadata
- Meeting link metadata
- Uploaded files and shared materials where applicable
- Billing identifiers and subscription status
- Support communications
- Technical logs, diagnostic info, and usage metadata
- Integration tokens, identifiers, or metadata where applicable
Route X does not use Subprocessors to expose private details of a coach's external calendar to unauthorized parties. Route X's scheduling design is intended to show clients only the available booking slots calculated by Route X, not private event titles, attendees, descriptions, or other private calendar details from the coach's calendar. Calendar integrations are used to calculate availability and to create or update calendar events at the request of users acting through the Services.
Each Subprocessor processes data only to the extent necessary to provide its portion of the Services and in accordance with the terms agreed between Route X and that Subprocessor. Customer's submission of data to the Services is subject to the DPA, the Agreement, the Acceptable Use Policy, and the Privacy Policy.
7. International Processing
Subprocessors may process data in the United States, Japan, or other countries where Route X, its infrastructure providers, or Subprocessors operate. The "Region" column in Section 3 displays "To be confirmed" where a specific region is not yet confirmed or where a provider operates in multiple regions.
Where required by applicable law or contract, Route X uses appropriate safeguards for international data transfers. Where applicable, such safeguards may include contractual safeguards, transfer impact assessments, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or other lawful transfer mechanisms.
Customers with specific international data transfer requirements should review the DPA and contact Route X regarding arrangements that may apply to their use of the Services.
8. Updates and Notifications
Route X may update this Subprocessor List from time to time to reflect additions, changes, or removals of Subprocessors or other changes to the Services. The "Effective Date" shown at the top of this List indicates the date of the most recent update.
Where required by the DPA, applicable law, or written agreement, Route X shall provide notice of material changes to Subprocessors. Notice may be given by one or more of the following reasonable methods:
- Email to designated contact
- in-app notice
- website notice
- customer account notice
- Publication of updated Subprocessor List
Customers wishing to receive notice of Subprocessor changes may contact us at privacy@route-x.app where available, or at the support contact published on the Route X website. Customer is responsible for keeping up to date the contact information Customer provides to Route X for this purpose.
9. Customer Objection Process
Customer may object to a new Subprocessor on reasonable data protection grounds within the period set out in the DPA or applicable written agreement. If no period is specified, Customer shall raise an objection within a reasonable time after receipt of notice of the new Subprocessor.
The objection should include:
- The Subprocessor in question
- Data protection concerns
- Affected Service or features
- Reasonable basis for the objection
Route X shall work in good faith with Customer to address such concerns. If the parties are unable to resolve an objection, Customer may, as Customer's sole remedy and subject to the DPA or Agreement and applicable contract, terminate the affected portion of the Services.
Objections should be limited to reasonable data protection grounds related to the Subprocessor in question. General commercial preferences, service specification preferences, or other business reasons unrelated to data protection are outside the scope of this process.
10. Contact
For questions or notices regarding this Subprocessor List (including requests to receive Subprocessor change notifications), please contact:
