DPA
Available on request for clubs that need procurement review.
Security and trust
The boring answers
before procurement
asks for them.
A factual trust packet for boards, accountants, and IT reviewers: data flow, vendors, access controls, DPA status, and the path for security questions.
Trust packet
Status,
not badges.
Lobby avoids unsupported certification claims. Active posture and roadmap items are described as such.
GDPR
Lobby acts as processor for clubs, with club members handled under the club relationship.
Data location
Production database runs in the EU region currently used by the infrastructure stack.
Payments
Card data is handled by Stripe, not stored in Lobby.
Incident path
Security and compliance requests route to a monitored inbox.
Data flow
App, database,
Stripe, email, support.
The diagram is plain because the system is plain. Each vendor has one operational job.
trust.getlobby.io/data-flowReview packet
Booking, profile, and checkout actions from the club booking surface.
Tenant routing, authorization, booking writes, reminders, and admin workflows.
Operational data for clubs, members, bookings, classes, payments, and audit records.
Card capture, payment processing, refunds, and payout reporting where Stripe is supported.
Transactional booking, login, payment, and staff notification emails.
Scoped staff access for migration, debugging, and operator-requested support.
Access controls
Access is scoped.
Support is deliberate.
- ControlRole-based access for organization, club, and member scopes
- ControlHTTP-only secure sessions
- ControlService tokens scoped to the operation they perform
- ControlAudit records for sensitive administrative workflows
- ControlSupport access granted for explicit operator work
Support work is tied to migration, debugging, or an operator request. Lobby does not use support access as a hidden analytics path.
Vendor list
Subprocessors
in the open.
Procurement can review the current vendor list before launch. Additions should be communicated through the DPA process.
Service
Region
Purpose
DPA
- RailwayFrankfurt · Railway EUApp hosting · object storageSigned
- Neoneu-central-1 · FrankfurtPrimary databaseSigned
- Stripe Payments Europe LtdIE · DublinPayments · card data controllerSigned
- Cloudflare Email ServiceCloudflare networkTransactional emailSigned
- SentryDE · EU instanceError trackingSigned
- CloudflareEU PoP cachingCDN · edge cachingSigned
List last reviewed 2026-05-11
Subscribe to subprocessor changes →EU and GDPR posture
EU hosting
where it matters.
Database
EU region
Payments
Stripe-supported markets
DPA
Available on request
Compliance claims
No fake badges
This page does not claim that every dependency uses the same region. It states the procurement facts: the production database is in the EU region, GDPR/DPA review is supported, and Stripe handles card data under its own payment compliance program.
Contact path
Vulnerability reports
security@getlobby.io for responsible disclosure and sensitive reports.
Contact path
Compliance requests
compliance@getlobby.io for DPA, vendor, and procurement questions.
Contact path
Incident communication
Affected operators are contacted through their account owner and admin email.