Interactive sub-processors page for customers #527
Conversation
github-actions
bot
added
the
security and privacy
|
Warning Rate limit exceeded@alex72508 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 59 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
WalkthroughAdds a client-side Astro component (SubProcessorsForm) for interactive sub-processor lookup, a docs page embedding it, updates the existing sub-processors doc (SMS entries, Aside, relatedArticles), and reformats Content-Security-Policy directives in Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User
participant Page as Docs Page
participant Form as SubProcessorsForm
participant Hist as Browser History
User->>Page: Open interactive sub-processors doc
Page->>Form: Mount component
Form->>Form: Read URL params, populate inputs
User->>Form: Change selections (services, region, email/sms)
Form->>Hist: replaceState(updatedQuery)
Form->>Form: Filter static dataset, apply conditional rules, dedupe results
Form-->>User: Render results table or no-results message
Form->>User: Scroll to results when complete
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
|
Preview link for this pull request via AWS - https://docs-sub-processors-form.d3cas3woxl0xu0.amplifyapp.com/trust-center/privacy-and-compliance/sub-processors/ |
Deploying kinde-docs-previews with
|
| Latest commit: |
8dde81e
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ef147e17.kinde-docs-previews.pages.dev |
| Branch Preview URL: | https://docs-sub-processors-form.kinde-docs-previews.pages.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (8)
src/components/SubProcessorsForm.astro (4)
87-90: Improve accessibility: announce results updates to screen readersExpose the results region as an ARIA live region and associate a label.
- <div id="results" class="hidden"> - <h3 class="text-lg font-semibold mb-4">Your Sub-processors</h3> + <div id="results" class="hidden" aria-live="polite" role="region" aria-labelledby="resultsTitle"> + <h3 id="resultsTitle" class="text-lg font-semibold mb-4">Your Sub-processors</h3> <div id="subProcessorsTable"></div> </div>
27-85: Accessibility: group related controls with fieldset/legend (especially radios)Use semantic grouping for each set of radios/checkboxes to improve navigation for assistive tech. Example for Data Region:
- <td class="w-1/4 px-3"> - <label class="block text-sm font-medium mb-2"> - Data Region * - </label> - <div class="space-y-2"> + <td class="w-1/4 px-3"> + <fieldset> + <legend class="block text-sm font-medium mb-2">Data Region *</legend> + <div class="space-y-2"> ... - </div> + </div> + </fieldset> </td>Replicate for Email Services and SMS Services.
487-499: Reduce stringly-typed conditions in data entriesInstead of string conditions like "emailServices === 'Kinde default'", consider boolean flags in data (e.g., requiresKindeEmail: true, requiresKindeSms: true). This avoids brittle string matching and is easier to validate.
Happy to draft the data schema and refactor the filter.
589-591: Back/forward navigation: sync form on popstateCurrently, changing history works, but back/forward won’t rehydrate the form. Add a popstate listener:
results.classList.remove('hidden'); results.scrollIntoView({ behavior: 'smooth' }); } + + window.addEventListener('popstate', () => { + setFormFromUrl(); + checkFormCompletion(); + });src/content/docs/trust-center/privacy-and-compliance/sub-processors-interactive.mdx (3)
4-4: Update description/summary to include SMS providerThe tool also filters by SMS provider. Reflect that in metadata for search and accuracy.
-description: "Interactive tool to view relevant sub-processors based on your Kinde configuration including data region, services used, and email provider." +description: "Interactive tool to view relevant sub-processors based on your Kinde configuration including data region, services used, email provider, and SMS provider." @@ -ai_summary: "Interactive tool to view relevant sub-processors based on your Kinde configuration including data region, services used, and email provider." +ai_summary: "Interactive tool to view relevant sub-processors based on your Kinde configuration including data region, services used, email provider, and SMS provider."Also applies to: 33-33
30-30: Set updated date to match this changeReflect the current update date.
-updated: "2024-08-02" +updated: "2025-08-11"
38-38: Fix double space in sentenceSmall typo.
-Please refer to the [sub-processors](/trust-center/privacy-and-compliance/sub-processors/) page for a comprehensive list of sub-processors, more information about how we use them, and how to request a Data Processing Agreement (DPA). +Please refer to the [sub-processors](/trust-center/privacy-and-compliance/sub-processors/) page for a comprehensive list of sub-processors, more information about how we use them, and how to request a Data Processing Agreement (DPA).src/content/docs/trust-center/privacy-and-compliance/sub-processors.mdx (1)
32-32: Align front matter updated date with the stated “Last update”Front matter shows 2024-08-02 but the page states “Last update... August 11, 2025.” Align these.
-updated: "2024-08-02" +updated: "2025-08-11"Also, a small grammar tweak reads better:
-Last update to the sub-processors for the external users is August 11, 2025. +Last update to the sub-processors for external users is August 11, 2025.Also applies to: 42-42
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
src/components/SubProcessorsForm.astro(1 hunks)src/content/docs/trust-center/privacy-and-compliance/sub-processors-interactive.mdx(1 hunks)src/content/docs/trust-center/privacy-and-compliance/sub-processors.mdx(3 hunks)
🔇 Additional comments (2)
src/components/SubProcessorsForm.astro (1)
120-134: Verify data correctness: AWS Email/SMS locationsDouble-check that:
- AWS Email services location is Australia-only for all regions (as modeled).
- AWS SMS services locations mirror the selected region.
These match the docs, but worth confirming with infra teams to avoid compliance drift.
Also applies to: 244-258
src/content/docs/trust-center/privacy-and-compliance/sub-processors.mdx (1)
54-59: Confirm policy statements for Email/SMS opt-out casesThe notes about custom SMTP/SMS excluding AWS as a sub-processor look correct. Please verify with legal/compliance that this wording matches your DPA definitions and notify workflows.
Also applies to: 79-84
| condition: "smsServices === 'Kinde default'" | ||
| }, | ||
| { | ||
| service: "Stripe", | ||
| entityType: "Billing and invoicing", | ||
| link: "https://stripe.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "Temporal", | ||
| entityType: "Webhooks", | ||
| link: "https://temporal.io/", | ||
| locations: { | ||
| "Australia": "Australia", | ||
| "Canada": "Canada", | ||
| "Europe": "Ireland", | ||
| "United Kingdom": "United Kingdom", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "Discord", | ||
| entityType: "Customer support", | ||
| link: "https://discord.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "Google", | ||
| entityType: "Customer support", | ||
| link: "https://workspace.google.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "InKeep", | ||
| entityType: "Customer support", | ||
| link: "https://inkeep.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "Microsoft", | ||
| entityType: "Customer support", | ||
| link: "https://www.microsoft.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| }, | ||
| { | ||
| service: "Plain", | ||
| entityType: "Customer support", | ||
| link: "https://www.plain.com/", | ||
| locations: { | ||
| "Australia": "United Kingdom", | ||
| "Canada": "United Kingdom", | ||
| "Europe": "United Kingdom", | ||
| "United Kingdom": "United Kingdom", | ||
| "United States": "United Kingdom" | ||
| } | ||
| }, | ||
| { | ||
| service: "Slack", | ||
| entityType: "Customer support", | ||
| link: "https://slack.com/", | ||
| locations: { | ||
| "Australia": "United States", | ||
| "Canada": "United States", | ||
| "Europe": "United States", | ||
| "United Kingdom": "United States", | ||
| "United States": "United States" | ||
| } | ||
| } | ||
| ] | ||
| }; |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Avoid data drift: extract sub-processors dataset to a single source of truth
The static data here duplicates information in the docs tables. To prevent inconsistencies, extract to a JSON/YAML file (e.g., src/data/sub_processors.json) and import it both in this component and to render the tables in MDX (or generate both from the same source).
I can provide the data file and refactor this component to import it.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (5)
customHttp.yml (5)
8-8: Trim trailing spaces to satisfy yamllint.Line 8 has trailing spaces flagged by YAMLlint. Remove them.
- https://www.youtube-nocookie.com; child-src 'self'; + https://www.youtube-nocookie.com; child-src 'self';
8-8: Prefer frame-src/worker-src over deprecated child-src.child-src is deprecated in CSP3 in favor of frame-src (for iframes) and worker-src (for workers). You already use frame-src; consider replacing child-src with worker-src if needed.
- https://www.youtube-nocookie.com; child-src 'self'; + https://www.youtube-nocookie.com; worker-src 'self';
13-14: Consider adding form-action to scope form submissions.Given this PR introduces an interactive form, explicitly constrain where forms can POST.
- base-uri 'none'; font-src 'self' https://fonts.gstatic.com; img-src + base-uri 'none'; form-action 'self'; font-src 'self' https://fonts.gstatic.com; img-src
83-85: Management APIs CSP: additions look fine; mirror ws: fix here too.The added hosts are OK. Also update any bare ws to ws: in this block to avoid CSP parse issues.
97-99: Frontend APIs CSP: additions look fine; mirror ws: fix here too.Same note as above for WebSocket scheme tokens.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
customHttp.yml(4 hunks)src/components/SubProcessorsForm.astro(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
- src/components/SubProcessorsForm.astro
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2024-09-20T04:56:23.891Z
Learnt from: marcosmartini
PR: kinde-oss/documentation#190
File: customHttp.yml:39-40
Timestamp: 2024-09-20T04:56:23.891Z
Learning: The `Strict-Transport-Security` header remains present in `customHttp.yml`; verify carefully before flagging its removal.
Applied to files:
customHttp.yml
🪛 YAMLlint (1.37.1)
customHttp.yml
[error] 8-8: trailing spaces
(trailing-spaces)
🔇 Additional comments (3)
customHttp.yml (3)
13-13: Good hardening: base-uri 'none'.Nice addition. This blocks attackers from setting a URL to rewrite relative links.
14-14: img-src changes look correct.Allowing 'self', data:, GCS, and Cloudflare Images aligns with existing assets.
49-51: script-src reflow retains all hashes and 'self'.No loss of coverage detected; the directive remains functionally equivalent.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (2)
src/components/SubProcessorsForm.astro (2)
381-399: Great: robust URL normalization for deep linksLowercasing and kebab-casing URL params plus case-insensitive parsing are in place. This stabilizes deep links and makes manual edits resilient.
Also applies to: 420-429
95-356: Avoid data drift: move sub-processors dataset to a single source of truthThe static dataset duplicates the docs tables. Extract to a JSON/YAML (e.g., src/data/sub_processors.json) and import it here and in MDX rendering to prevent inconsistencies.
🧹 Nitpick comments (4)
src/components/SubProcessorsForm.astro (4)
87-90: A11y: announce dynamic results and tie heading to regionMake the results region accessible to screen readers by announcing updates and labelling the region.
- <div id="results" class="hidden"> - <h3 class="text-lg font-semibold mb-4">Your Sub-processors</h3> + <div id="results" class="hidden" role="region" aria-live="polite" aria-labelledby="results-title"> + <h3 id="results-title" class="text-lg font-semibold mb-4">Your Sub-processors</h3>
541-552: A11y: add a table caption for contextProvide a caption for assistive tech users.
- <table class="min-w-full border border-gray-300"> - <thead> + <table class="min-w-full border border-gray-300"> + <caption class="sr-only">Sub-processor providers for your selected configuration</caption> + <thead>
579-581: Respect prefers-reduced-motion when scrolling to resultsAvoid forced smooth scroll for users who prefer reduced motion.
- results.classList.remove('hidden'); - results.scrollIntoView({ behavior: 'smooth' }); + results.classList.remove('hidden'); + const reduceMotion = window.matchMedia && window.matchMedia('(prefers-reduced-motion: reduce)').matches; + if (!reduceMotion) { + results.scrollIntoView({ behavior: 'smooth' }); + } else { + results.scrollIntoView(); + }
495-501: Guard against missing region mappings in datasetFuture data edits might omit a region key; avoid rendering “undefined” locations.
- relevantSubProcessors.push({ - service: processor.service, - entityType: processor.entityType, - link: processor.link, - location: processor.locations[dataRegion] - }); + const location = processor.locations ? processor.locations[dataRegion] : undefined; + if (!location) { + return; // Skip if there's no mapping for the selected region + } + relevantSubProcessors.push({ + service: processor.service, + entityType: processor.entityType, + link: processor.link, + location + });
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
src/components/SubProcessorsForm.astro(1 hunks)
🔇 Additional comments (1)
src/components/SubProcessorsForm.astro (1)
93-93: CSP inline scripts are already whitelisted via SHA-256 hashesWe don’t need to externalize this
<script>—ourcustomHttp.ymluses explicitscript-srchashes and gets updated automatically byscripts/update-csp.json every build. That post-build hook fingerprints any new inline script and injects its SHA-256 into the “**” CSP pattern, so the inline code will continue to run without'unsafe-inline'or nonces.Key locations to verify:
• customHttp.yml – look under thepattern: '**'entry’sscript-srcfor the SHA-256 hashes
• scripts/update-csp.js – the postbuild script that scans for inline<script>blocks and appends their hashes to the CSP
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (5)
customHttp.yml (5)
8-8: Fix YAML lint error: trailing spaces.Line 8 ends with trailing spaces, causing YAMLlint to fail. Remove them.
- https://www.youtube-nocookie.com; child-src 'self'; + https://www.youtube-nocookie.com; child-src 'self';
8-8: Modernize CSP: prefer worker-src over child-src.child-src is deprecated in CSP3 for controlling workers. If the intent is to scope workers, use worker-src. Keeping child-src for legacy is fine, but consider adding worker-src for clarity.
- https://www.youtube-nocookie.com; child-src 'self'; + https://www.youtube-nocookie.com; child-src 'self'; worker-src 'self';
49-51: script-src formatting is fine; confirm hashes cover all inline scripts.The reflow keeps semantics intact. Ensure any new inline scripts added by the interactive page are included in this hash list, or consider nonces if they’re dynamic.
84-85: img-src may be too restrictive for /kinde-apis/management/Only allowing https://storage.googleapis.com may block images or data URIs used by the API reference UI. Consider adding 'self' and data: unless intentionally locked down.
- img-src https://storage.googleapis.com + img-src 'self' data: https://storage.googleapis.com
98-98: img-src may be too restrictive for /kinde-apis/frontend/As above, consider allowing 'self' and data: if required by the UI.
- img-src https://storage.googleapis.com + img-src 'self' data: https://storage.googleapis.com
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
customHttp.yml(4 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2024-09-20T04:56:23.891Z
Learnt from: marcosmartini
PR: kinde-oss/documentation#190
File: customHttp.yml:39-40
Timestamp: 2024-09-20T04:56:23.891Z
Learning: The `Strict-Transport-Security` header remains present in `customHttp.yml`; verify carefully before flagging its removal.
Applied to files:
customHttp.yml
🪛 YAMLlint (1.37.1)
customHttp.yml
[error] 8-8: trailing spaces
(trailing-spaces)
🔇 Additional comments (1)
customHttp.yml (1)
13-14: Good hardening: base-uri 'none' and explicit img-src.Adding base-uri 'none' and scoping img-src improves security. Looks good.
Description (required)
We often get questions about the sub-processors in use. We support multiple regions where customer data is stored, which means we need to list all the countries out. Our product stores and processes data in the selected region. This may be confusing when presented with all the possible options.
This change will create a new page that has an interactive form to help customers determine the appropriate list of sub-processors. The page also has a deep link in it so that it can be bookmarked for future reference. Hopefully this will reduce support queries related to sub-processors.
Summary by CodeRabbit
New Features
Documentation
Chores