Get notified of changes. We give 30 days' notice before adding or changing a subprocessor. Subscribe to updates by emailing [email protected] with subject "Subscribe to subprocessor updates", or follow the RSS feed (coming soon).
Core infrastructure
| Provider | Role | Data location | Transfer mechanism |
|---|---|---|---|
| Hetzner | Application hosting, database hosting, file storage | Falkenstein, Germany | EEA (no transfer) / SCCs as applicable |
| Cloudflare | CDN, DDoS protection, TLS termination | Global edge; rest at origin | SCCs (Art. 46.2.c GDPR) |
| Hetzner backup storage | Off-site encrypted backups | Falkenstein, Germany | EEA / SCCs as applicable |
Operational tooling
| Provider | Role | Data location | Transfer mechanism |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Error and performance monitoring; centralised application logs and metrics | Frankfurt, Germany (EU instance) | EEA — no transfer outside the EEA for primary processing |
Communications
| Provider | Role | Data location | Transfer mechanism |
|---|---|---|---|
| Mailgun | Send transactional emails (invitations, notifications, password resets) | EU | SCCs as applicable |
| MailerLite | Send opt-in marketing emails (newsletters) | EU | SCCs as applicable |
Payments
| Provider | Role | Data location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Card processing, subscription billing, invoicing | EEA processing; some support functions outside EEA | SCCs (where transfers occur). The processor is an independent controller for fraud-prevention and compliance purposes. |
Analytics
| Provider | Role | Data location | Transfer mechanism |
|---|---|---|---|
| Plausible | Aggregated product analytics, used only with user consent | EU | EEA / SCCs as applicable |
Change history
The most recent change to this list was on 5 May 2026 — initial publication.
Questions? Write to [email protected]. The binding version of this document is the most recent one published at foyerflow.app/legal.