§ LEGAL — SUB-PROCESSORS
EFFECTIVE 04 MAY 2026
Sub- processors.
Public list of sub-processors used in our delivery operations. We notify controllers 30 days in advance of any change. Controllers may object to a new sub-processor per GDPR Art. 28(2).
Infrastructure + hosting
| Vendor | Purpose | Region |
|---|---|---|
| Vercel | Edge hosting, serverless functions | US, EU, IN, APAC |
| Cloudflare | DNS, WAF, DDoS protection | Global |
| AWS | S3 (asset storage), CloudFront (CDN) | US-East-1, EU-West-1, AP-South-1 |
Analytics + measurement
| Vendor | Purpose | Region |
|---|---|---|
| Plausible | Cookieless analytics | EU (Germany) |
| Microsoft Clarity | Heatmaps (only after consent) | US |
| Google Analytics 4 | Page analytics (only after consent) | US |
| Stape | GTM Server-Side hosting | EU + US |
Communications
| Vendor | Purpose | Region |
|---|---|---|
| Resend | Transactional + form submissions | US |
| Klaviyo | Our marketing emails (own use) | US |
| Twilio | SMS / WhatsApp (where used) | US |
Collaboration + project management
| Vendor | Purpose | Region |
|---|---|---|
| Notion | Shared workspace per engagement | US |
| Slack | Shared channels per engagement | US |
| GitHub | Code repositories | US |
| Loom | Async video walkthroughs | US |
How we notify changes
This page is the canonical sub-processor list. Material additions or removals are announced via email to all active engagement contacts 30 days in advance. Controllers can object per GDPR Art. 28(2).
Global · USD billing · GDPR + CCPA + DPDP + LGPD compliant by default · DPA available on request
This page reflects current practice. Material changes are posted here and reflected in the effective date above.