Sub-processors
Notice policy: 30-day notice before adding any sub-processor that will access and/or process customer personal or production data. Tools used only for internal operations are excluded.
| Vendor | Purpose | Location | Certifications |
|---|---|---|---|
| DigitalOcean (FRA1 + AMS3) | Primary hosting & back-ups | EU | SOC 2, ISO 27001 |
| ChartMogul | Subscription analytics (MRR/ARR) | Germany | SOC 2, ISO 27001 |
| Cloudflare | CDN & WAF | Global | SOC 2, ISO 27001 |
| Google Workspace | Email & docs (support) | US (EU-US DPF) | SOC 2, ISO 27001 |
| Intercom | In-app chat & support tickets | EU / US | SOC 2, ISO 27001 |
| Mailjet / Postmark | Transactional email | France / US | SOC 2, ISO 27001 |
| PostHog EU Cloud | Product analytics (opt-in) | Germany | ISO 27001 |
| Rewardful | Affiliate programme | Canada | SOC 2, ISO 27001 |
| Stripe | Payment processing | US | SOC 2, PCI-DSS |
| Auth0 | Identity provider / SSO | US / EU edge | SOC 2, ISO 27001 |
| Google Cloud Platform | Social login & object storage | US (EU-US DPF) | SOC 2, ISO 27001 |
| Userback | Feature requests & bug reports | Australia | SOC 2, ISO 27001 |
| Sentry | Error logging & monitoring | US | SOC 2, ISO 27001 |
| Anthropic | AI-model inference (prompts via MCP) | US | SOC 2, ISO 27001 |
| OpenAI | AI-model inference (prompts via MCP) | US | SOC 2, ISO 27001 |