Legal
Sub-processors
Last updated July 7, 2026
To deliver the hosted service we rely on the vetted third parties below. Each is engaged under written terms that impose data-protection obligations consistent with our Data Processing Addendum. This list is the authoritative register referenced by the DPA. Self-hosted deployments do not use our sub-processors.
Infrastructure sub-processors
| Sub-processor | Purpose | Data processed | Location | Applies to |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and compute, managed PostgreSQL database, object storage and encrypted backups, and certificate/registry tooling. | All hosted Service data at rest and in transit (account, configuration, domain/DNS, logs). | United States (primary region), with AWS global infrastructure. | All customers |
| Cloudflare, Inc. | DNS, CDN, WAF, and reverse proxy for our own domains, plus origin protection for the control plane. | Request metadata and traffic to our public endpoints; limited network-layer data. | United States / global edge network. | All customers |
| Let's Encrypt (Internet Security Research Group) | Automated issuance and renewal of TLS/SSL certificates (ACME) for connected custom domains. | Domain names for which certificates are requested. | United States | Customers using automatic SSL |
Business and optional sub-processors
| Sub-processor | Purpose | Data processed | Location | Applies to |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription/usage billing. | Billing contact, plan and usage data, and payment details entered directly with Stripe (we do not receive full card numbers). | United States / global. | Paid customers |
| Name.com (registrar partner) | Backend registrar for the optional domain-search and domain-purchase feature. | Registrant contact details required by the registry to register a domain. | United States | Customers using the registrar feature |
| Google LLC | Optional single sign-on (OAuth) for the console. | Google account identifier, name, and email, only if you choose Google sign-in. | United States / global. | Customers who use Google sign-in |
Customer-directed DNS providers and registries
When you or your end-users connect a domain, the Service interacts with the DNS provider and registry you choose (for example, your registrar or managed-DNS host). Those providers act on your instruction and are independent controllers of the data you send them; they are not our sub-processors. Where automatic DNS changes are authorized, provider access tokens are used once and discarded rather than stored.
Changes and how to subscribe
We may add or replace sub-processors as the Service evolves. When we do, we will update this page and, for customers who have subscribed, provide advance notice so you can review the change. Under the DPA, you may object to a new sub-processor on reasonable data-protection grounds within the notice window described there.
To be notified of changes to this list, email [email protected]with the subject "Subscribe: sub-processor updates." This list was last updated on July 7, 2026.