Legal

Sub-processors

Last updated July 7, 2026

TemplateThis is a good-faith template drafted for an open-source project. It is not legal advice and must be reviewed and adapted by qualified counsel before you rely on it in production.

To deliver the hosted service we rely on the vetted third parties below. Each is engaged under written terms that impose data-protection obligations consistent with our Data Processing Addendum. This list is the authoritative register referenced by the DPA. Self-hosted deployments do not use our sub-processors.

Infrastructure sub-processors

Sub-processorPurposeData processedLocationApplies to
Amazon Web Services (AWS)Cloud hosting and compute, managed PostgreSQL database, object storage and encrypted backups, and certificate/registry tooling.All hosted Service data at rest and in transit (account, configuration, domain/DNS, logs).United States (primary region), with AWS global infrastructure.All customers
Cloudflare, Inc.DNS, CDN, WAF, and reverse proxy for our own domains, plus origin protection for the control plane.Request metadata and traffic to our public endpoints; limited network-layer data.United States / global edge network.All customers
Let's Encrypt (Internet Security Research Group)Automated issuance and renewal of TLS/SSL certificates (ACME) for connected custom domains.Domain names for which certificates are requested.United StatesCustomers using automatic SSL

Business and optional sub-processors

Sub-processorPurposeData processedLocationApplies to
Stripe, Inc.Payment processing and subscription/usage billing.Billing contact, plan and usage data, and payment details entered directly with Stripe (we do not receive full card numbers).United States / global.Paid customers
Name.com (registrar partner)Backend registrar for the optional domain-search and domain-purchase feature.Registrant contact details required by the registry to register a domain.United StatesCustomers using the registrar feature
Google LLCOptional single sign-on (OAuth) for the console.Google account identifier, name, and email, only if you choose Google sign-in.United States / global.Customers who use Google sign-in

Customer-directed DNS providers and registries

When you or your end-users connect a domain, the Service interacts with the DNS provider and registry you choose (for example, your registrar or managed-DNS host). Those providers act on your instruction and are independent controllers of the data you send them; they are not our sub-processors. Where automatic DNS changes are authorized, provider access tokens are used once and discarded rather than stored.

Changes and how to subscribe

We may add or replace sub-processors as the Service evolves. When we do, we will update this page and, for customers who have subscribed, provide advance notice so you can review the change. Under the DPA, you may object to a new sub-processor on reasonable data-protection grounds within the notice window described there.

To be notified of changes to this list, email [email protected]with the subject "Subscribe: sub-processor updates." This list was last updated on July 7, 2026.