Who we work with

Sub-Processor Selection Criteria

When selecting third-party services that handle personal data or are critical to our infrastructure, we prioritize providers in the following order:

SOC 2 Type II and/or ISO 27001 certified providers with EU data residency
Uncertified providers with EU data residency
Certified providers with non-EU data residency (with appropriate safeguards)

All sub-processors are contractually bound through Data Processing Agreements (DPAs) and Standard Contractual Clauses where applicable.

MongoDB Atlas (MongoDB, Inc.)

Purpose: Primary database hosting
Data Location: Belgium (GCP europe-west1)
Personal Data: Yes - all application data
Certifications: SOC 2 Type II, ISO 27001, GDPR compliant
Service Authentication: Database credentials with connection string encryption
Administration Authentication: Email/password (Keychain-generated) + 2FA (SMS)
Service Access Control: Database-level user roles
Administration Access Control: Organization roles with principle of least privilege
Criticality: Critical

Google Cloud Platform (Google LLC)

Purpose: Cloud infrastructure, Firebase services, load balancing
Data Location: Belgium (europe-west1)
Personal Data: Yes - authentication, file storage, messaging
Certifications: SOC 2 Type II, ISO 27001, GDPR compliant
Service Authentication: Service accounts with encrypted JSON keys
Administration Authentication: Google Account (Keychain-generated password) + 2FA
Service Access Control: IAM roles with principle of least privilege
Administration Access Control: Organization-level IAM with project-specific permissions
Criticality: Critical

Vercel (Vercel Inc.)

Purpose: Web application hosting and CDN
Data Location: France (AWS eu-west-3)
Personal Data: Limited - session cookies, request logs
Certifications: SOC 2 Type II
Service Authentication: API tokens with project-specific scope
Administration Authentication: Email/password (Keychain-generated) + 2FA
Service Access Control: Token-based access with resource restrictions
Administration Access Control: Team roles and project-level permissions with principle of least privilege
Criticality: Critical

Resend (Resend Inc.)

Purpose: Transactional email delivery
Data Location: Ireland (AWS eu-west-1)
Personal Data: Yes - email addresses, delivery metadata
Certifications: SOC 2 Type II
Service Authentication: API keys
Administration Authentication: Email/password (Keychain-generated) + 2FA or OTP
Service Access Control: API key permissions and domain restrictions
Administration Access Control: Team member roles and sending domain permissions
Criticality: Critical

Upstash (Upstash Inc.)

Purpose: Queue management and background job processing
Data Location: Global (with EU endpoints)
Personal Data: Limited - processing metadata
Certifications: SOC 2 Type II
Service Authentication: API tokens + signing key
Administration Authentication: Email/password (Keychain-generated) + 2FA
Service Access Control: Token-based access with resource restrictions
Administration Access Control: Team roles with database-specific permissions
Criticality: Medium

PostHog (PostHog Inc.)

Purpose: User behavior analytics, session replay, error monitoring
Data Location: EU (Frankfurt)
Personal Data: Yes - anonymized usage data, session recordings
Certifications: SOC 2 Type II, GDPR compliant
Service Authentication: Publicly visible project API key with domain verification
Administration Authentication: Email/password (Keychain-generated) + 2FA
Service Access Control: Write access only (to log events, no read allowed)
Administration Access Control: Project-based access with role-based permissions
Criticality: Medium

Google Analytics (Google LLC)

Purpose: Web analytics and user insights
Data Location: EU servers (with BigQuery export to Belgium)
Personal Data: Yes - user interactions
Certifications: ISO 27001, GDPR compliant
Service Authentication: Measurement Protocol with API keys
Administration Authentication: Google Account (Keychain-generated password) + 2FA
Service Access Control: Property-scoped data collection permissions
Administration Access Control: Property-level permissions and user roles
Data Flow: Exported to BigQuery (Belgium) for analysis
Criticality: Medium

Crisp (Crisp IM SARL)

Purpose: Customer support chat interface
Data Location: France
Personal Data: Yes - chat conversations, email addresses
Certifications: GDPR compliant
Service Authentication: Widget authentication with domain restrictions
Administration Authentication: Email/password (Keychain-generated) + 2FA
Service Access Control: Website-specific widget configuration
Administration Access Control: Agent roles and conversation access permissions
Criticality: Low

Retool (Retool Inc.)

BigQuery (Google LLC)

Purpose: Data warehouse for analytics and reporting
Data Location: Belgium (europe-west1)
Personal Data: Yes - aggregated and anonymized analytics data
Certifications: SOC 2 Type II, ISO 27001, GDPR compliant
Service Authentication: Service account with encrypted keys
Administration Authentication: Google Account (Keychain-generated password) + 2FA
Service Access Control: Dataset-level IAM roles with query restrictions
Administration Access Control: Project-level permissions with dataset-specific access
Criticality: Low

Legal Framework: All sub-processors operate under contractual data protection obligations through their Terms of Service, Data Processing Addendums, or formal DPAs where applicable
International Transfers: Standard Contractual Clauses (SCCs) implemented for non-EU processors
Access Controls: API authentication with IP restrictions and rate limiting where applicable
Data Minimization: Only necessary data shared with sub-processors based on service requirements

For sub-processor and data processing questions, contact: [email protected]

Last Updated: August 2025

Mis à jour il y a 9 jours