The vendors we trust with your data.
Five third-party services power our stack. This page lists each one, what data they see, where it lives, and their data processing agreement. We update it every time the list changes.
- CFCloudflare, Inc.CDN, TLS, DDoS protectionIP, headers, requestsGlobal CDN
- HZHetzner Online GmbHApplication + database hostingAll app dataEU
- MxMaxMind, Inc.IP-to-country geolocationIP address (transient)US
- ReResend Inc.Transactional email deliveryEmail, message bodyEU + US
- StStripe Payments Europe Ltd.Payment processing & invoicingBilling, name, emailEU + US
Tap a column header on desktop to sort. Last updated May 2026.
Standard Contractual Clauses
All vendors that touch personal data outside the EEA are bound by the European Commission's 2021 Standard Contractual Clauses, with extra technical measures (encryption in transit + at rest) for the US-based ones.
Data minimisation
We send each vendor the minimum data they need to do their job. Stripe sees billing and email, never your brief. Resend sees the email body, never your billing.
Change policy
We notify in-portal and via email at least 30 days before adding a new subprocessor that handles personal data, so you can object before the change goes live.
Want the formal version?
Our Data Processing Agreement references this list and binds us to keep it current. The DPA is auto-applicable to anyone with a paid plan.