Subprocessors
Last updated: 2026-06-03
A "subprocessor" is any third-party vendor that processes personal data on our behalf. Under GDPR, we are required to disclose them.
This page lists every vendor that touches user data in the Service, what data they process, where they're located, and our legal basis for sharing.
If you are a B2B customer who needs a Data Processing Agreement (DPA), email [email protected].
Active subprocessors
| Vendor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Server hosting (Laravel app + SQLite database) | All hosted user data | Germany / Finland (EU) | No transfer (EU to EU) |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, R2 backup storage | Technical, usage, encrypted backups | Global edge network | SCCs |
| Stripe Payments Europe Ltd. | Payment processing, subscriptions | Payment card, billing address, email | EU + US | SCCs + EU adequacy |
| Amazon Web Services, Inc. (SES) | Transactional email delivery | Email addresses, message content | EU (eu-central-1, Frankfurt) | SCCs |
| Backblaze, Inc. (B2) | Encrypted off-site database backups | All hosted user data (encrypted at rest) | US-West | SCCs |
| DataForSEO LLC | SEO data API (SERP, keywords, backlinks, AI citation mentions) | Keywords and domain names you query | EU + US | SCCs |
| Google LLC (Search Console API) | Reads your GSC data on your behalf, only if you connect | OAuth tokens, fetched search performance data | Global | SCCs + EU adequacy |
| Google LLC (Identity / Sign-In) | Verifies your identity when you sign in with Google | OAuth tokens, email, name | Global | SCCs + EU adequacy |
| GitHub, Inc. (future, optional) | Reads specific repositories and posts PRs, only if you connect | OAuth tokens, repo contents we fetch | US | SCCs |
We do NOT use AI model providers (Anthropic, OpenAI, Google Gemini) as subprocessors. AI inference happens inside your IDE under your vendor relationship, not ours. See Section 7 of our Privacy Policy for the architectural reasoning.
Operational vendors (do not access user data)
These vendors support our operations but don't process user personal data:
- Tailscale: VPN for our server access (not user-facing)
- GitHub: code repository (operator side, no user data unless you explicitly connect a project's repo per the row above)
How we share data with subprocessors
We only share the minimum data necessary for each vendor's stated purpose. Examples:
- AWS SES receives only the email address, subject, and body when sending a transactional email
- Stripe receives only billing data for payment processing
- DataForSEO receives only the specific keyword strings and domains needed to return SERP or keyword data. It does not receive your account identity.
- Google (Search Console API) receives only the OAuth token you authorized, scoped to read-only access to properties you select
International data transfers
Some subprocessors are based outside the EU (Cloudflare, Stripe, Backblaze, DataForSEO, Google, GitHub). For these transfers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism, plus additional safeguards including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (for storage vendors)
- Access controls and audit logs
- The vendor's published privacy and security practices
Changes to this list
When we add, remove, or change subprocessors, we update this page and:
- Notify existing paying customers via email at least 30 days before the change takes effect (where the change might materially affect their data)
- Allow them to terminate their Subscription before the change if they object
The "Last updated" date above always reflects the current version.
Questions
For questions about our subprocessors or to request a DPA:
- Email: [email protected]
- We respond within 30 days as required by GDPR