We notify customers 30 days in advance of any new sub-processor that processes personal data. You may object in writing.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Vercel Inc. | Web app hosting (apps/web), preview deploys | EU (Frankfurt) — origin in US | Link |
| Cloudflare Inc. | MCP gateway (Workers + Durable Objects), KEK secrets, R2 assets | EU (Frankfurt) — EU-region lock for Workers | Link |
| Neon Inc. | Primary Postgres database (Drizzle ORM) | EU (Frankfurt) | Link |
| Stripe Payments Europe Ltd. | Subscriptions, invoices, Stripe Tax, customer portal | IE (EU) — global card network | Link |
| Inngest Inc. | Background jobs (audits, recommendations refresh, GDPR jobs) | EU region | Link |
| Sentry GmbH | Application error monitoring (no PII, no replay) | EU | Link |
| PostHog Ltd. | Anonymous product analytics (Session Replay disabled) | EU | Link |
| Resend Inc. | Transactional email (login magic-links, receipts, audit reports) | US — SCC + DPA | Link |
| Better Stack | Public status page (status.helferlain.com) | EU | Link |
| Loops.so | Lifecycle email (welcome, trial-end, re-engagement) | US — SCC + DPA | Link |
Explicitly NOT sub-processors
These vendors are not Helferlain sub-processors — the legal relationship runs directly between you and them:
- Anthropic — You bring your own key (BYOK). Anthropic processes inference under your direct contract. We are an intermediary, not a processor of prompt content.
- OpenAI — Same as Anthropic — BYOK direct contract.
- Google Ads, GA4, Search Console, Bigin, Meta, LinkedIn, TikTok — These are platforms you connect via OAuth. Your relationship is governed by their respective terms; Helferlain only reads / writes on your behalf.