Subprocessors
Who else handles your data
Every third-party processor we engage. Ordered by data-sensitivity tier. We will email all paid subscribers at least 30 days before adding a new subprocessor that processes subscriber PII.
For the buyer doing diligence
Procurement asks for this so they can check every vendor in one place — so here it is: each processor, what it touches, its region, its certifications, and a direct link to its DPA. No digging, no engineer required. The two flags that matter for most reviews: card data lives only at Stripe (PCI-DSS L1) and analytics carry no PII.
Start with the most-requested trust routes
Buyers who inspect processors usually want the legal wrapper, the live reliability surface, and the main security summary next.
| Subprocessor | Region | PII? | DPA |
|---|---|---|---|
Stripe Payment processor + subscription billing | EU + US | PII | DPA → |
Vercel Hosting, CDN, edge compute, log retention | EU (fra1 primary), US (iad1 failover) | PII | DPA → |
Resend Transactional email + audience management | US (Tigris primary) | PII | DPA → |
PocketBase / Hetzner Subscriber records, share-tokens, scout sessions | EU (Hetzner Helsinki) | PII | DPA → |
Coinbase Developer Platform x402 facilitator + CDP Server Wallet | US | no PII | DPA → |
PostHog (EU Cloud) Pseudonymous product analytics | EU (Frankfurt) | no PII | DPA → |
GitHub Source data — public commit/repo events | US | no PII | DPA → |
Cloudflare Apex DNS + DDoS shield (gitdealflow.com) | Global anycast | PII | DPA → |
Anthropic LLM inference for /api/answer + /api/ask summarisation | US | no PII | DPA → |
Cleared the diligence? Here’s the low-risk next step.
You came here to vet us — fair. If it checks out, the calmest way in is the free Sunday digest: five accelerating startups a week, no card, one-click unsubscribe, and you never have to read a line of code. Nothing on this site auto-charges, and the methodology behind every pick is public.