Subprocessors
We engage the third-party processors below to deliver the Services. Each one is bound by data-protection terms equivalent to our DPA. Workspace owners can subscribe to subprocessor-change notices from settings/billing — we give at least 30 days' advance notice before adding or replacing a vendor.
Supabase
Their DPA →- Category
- Authentication + database + storage
- Purpose
- Customer account records, Personal Data, file storage
- Location
- EU (eu-central-1)
Stripe
Their DPA →- Category
- Payments + tax + invoicing
- Purpose
- Billing address, VAT-ID, payment-method tokens, invoice records
- Location
- US — EU–US Data Privacy Framework certified
- Transfer basis
- EU–US Data Privacy Framework (Stripe Payments Europe Ltd. acts as data controller for payment data)
Cloudflare
Their DPA →- Category
- Object storage (R2) + Workers + edge dispatch
- Purpose
- Customer media files, customer-site bandwidth metering
- Location
- EU + global edge
Fly.io
Their DPA →- Category
- Compute (per-customer Machines + ByNoon services)
- Purpose
- Hosting infrastructure
- Location
- AMS (Amsterdam)
Resend
Their DPA →- Category
- Transactional email
- Purpose
- Email addresses + email body for delivery
- Location
- US/EU split
- Transfer basis
- Standard Contractual Clauses
GitHub (an Octopus Deploy company)
Their DPA →- Category
- Per-project repository sync
- Purpose
- Customer project source code + push history
- Location
- US — DPF certified
- Transfer basis
- EU–US Data Privacy Framework
Cloudflare Stream
Their DPA →- Category
- Video transcoding + hosting
- Purpose
- Customer video uploads + transcoded outputs
- Location
- EU + global edge
Maintained at /admin/subprocessors. Material additions are notified to opted-in workspace owners at least 30 days in advance.