← Compliance hub · Trust Center
Subprocessors & change notices
Third parties that may process service data on our behalf.
Lists evolve as product features ship. Change notices describe intent — timing may vary for emergency security substitutions.
Current subprocessors (representative)
| Provider | Purpose | Typical data |
|---|
| Cloudflare | Workers, R2, D1, Queues, DNS, TLS, Turnstile, optional AI | Runtime payloads you route through us; metadata; logs. |
| Stripe | Payments & billing | Billing contact, payment tokens at Stripe, tenant IDs in metadata. |
| OAuth identity providers | Delegated sign-in | Tokens/claims as configured by you (e.g. Google, Apple). |
Change notification
- We publish updates on this page and reference them from the Trust Center.
- For material subprocessor additions or replacements affecting personal data processing, we target at least 30 days advance notice where commercially reasonable.
- Emergency substitutions (e.g., critical security incident at a vendor) may occur with shorter notice; we document rationale internally.
- DPA customers may receive additional channels as stated in their executed agreement.