Subprocessors
Last Updated: May 2, 2026
The following third parties receive data in the course of operating Cloudarq. This list is the authoritative record and supersedes any older enumeration in the Privacy Policy. If you are completing a vendor-risk or SOC 2 questionnaire, or negotiating a DPA, this page is the canonical source.
Active Subprocessors
| Subprocessor | Purpose | Data Received | Location | DPA |
|---|---|---|---|---|
| Hetzner | Infrastructure hosting (compute, network, storage) | All Cloudarq service data (Postgres, Redis, reports on disk) | Helsinki, Finland (EU) | Hetzner DPA |
| Cloudflare | DNS, CDN, TLS termination at the edge, DDoS protection | HTTP request metadata (IP, user agent, URL path), TLS-encrypted request bodies. Origin certificates used server-to-server. | Global edge; US HQ | Cloudflare DPA |
| Paddle | Payment processing, tax compliance, invoicing — Merchant of Record (Paddle is the legal seller of your subscription) | Email, name, billing address, tax ID (for B2B), subscription details. Card data is entered directly on Paddle’s hosted checkout page; Cloudarq servers never see raw PAN or CVV. | United Kingdom + Ireland (EU customers); United States (US customers) | Paddle DPA |
| Anthropic | AI remediation suggestions (Claude API) | Check IDs, finding titles, resource IDs, configuration states. Never: credentials, never: data contents. | United States | Anthropic commercial terms |
| Resend | Transactional email delivery | Recipient email, subject line, rendered email body (verification links, receipts, finding digests) | United States | Resend DPA |
| Sentry | Error monitoring and performance telemetry | Stack traces, request metadata (URL path, method, status), user-agent. PII is explicitly scrubbed via Sentry’s beforeSend hook. | United States (EU data-residency region available on request) | Sentry DPA |
| Plausible | Anonymous web analytics (no cookies, no tracking) | Aggregated page-view counts. No IP stored, no cookies set, no per-visitor identifiers. | European Union (Estonia) | Plausible DPA |
| AWS | Read-only audit of the customer’s own AWS accounts (NOT our hosting) | Account metadata, resource configuration, IAM policies; read-only via assume-role or access key. | Customer’s chosen region | AWS terms |
Standard sub-processor DPA
Paddle’s public Data Processing Agreement is the operative DPA for our payment processing. It covers GDPR Art. 28 standard contractual terms for the EU/UK/Swiss personal data Paddle handles on Cloudarq’s behalf as Merchant of Record. Read it at paddle.com/legal/dpa.
Notes
- AWS is listed for completeness. The customer owns the AWS account we audit. Cloudarq does not host customer workloads on AWS; our own service runs on Hetzner in Helsinki, Finland. AWS appears here because we receive read-only metadata from the customer’s account during a scan.
- No payment data touches Cloudarq servers. Paddle, as Merchant of Record, collects and stores card details directly on its own infrastructure; Cloudarq receives only an opaque customer identifier plus subscription status. The customer’s credit-card statement reads “Paddle.com” with a Cloudarq descriptor.
- Paddle handles tax compliance globally. VAT (EU/UK), GST (AU/IN/SG/JP), US sales tax across all states, and other local indirect taxes are calculated, collected, and remitted by Paddle on Cloudarq’s behalf. No Cloudarq-side tax registration or filing is required in customer jurisdictions where Paddle has nexus.
- Cloudflare is in-path for every HTTP request. Traffic is terminated at a Cloudflare edge before proxying to our origin. If you’re required to keep in-region, we can route your traffic through Cloudflare’s EU-only data plane — contact support.
- Sentry is configured to scrub PII. We send stack traces and request metadata; we do not send request bodies, response bodies, or user inputs.
- No advertising or behavioural-tracking subprocessors. Plausible is anonymous and cookie-free. We do not use Google Analytics, Segment, Mixpanel, Meta Pixel, Rudderstack, or any equivalent.
Legal documents
The standard agreements vendor-risk reviewers and procurement teams ask for. We don’t ship pre-signed PDFs publicly — every counterparty negotiates one or two clauses and we want to track who has which version. Email [email protected] with the document and your legal entity name and we’ll send the current template back the same business day.
- Data Processing Agreement (DPA) — GDPR Art. 28 standard contractual terms covering EU/UK/Swiss personal data, sub-processor lists, and security measures.
- Business Associate Agreement (BAA) — HIPAA-regulated workflows. Available pre-signature; we will only countersign once the customer’s use case actually involves PHI we’d be processing.
- Standard Contractual Clauses (SCCs) — EU Commission 2021 modules 1, 2, and 4 for cross-border transfers. Bundled with the DPA.
- Security overview — one-pager covering encryption-at- rest / in-transit, access controls, retention windows, and incident-response timing. Useful as a first-pass attachment to a vendor-risk questionnaire before the full DPA round-trip.
We do not yet hold SOC 2 Type II or ISO 27001 attestations — those are on theroadmap, not yet certified. Don’t mark a row in your vendor-risk tracker as “SOC 2 attested” for CloudArq today; we’ll publish an authoritative letter the day the auditor signs off.
Change Notifications
Changes to this list — adding, removing, or replacing a subprocessor — will be announced in-app and via email to the account’s billing contact at least 30 days in advance where practical. Emergency changes (e.g. a subprocessor goes out of business) will be announced as soon as the replacement is in place.
We commit to updating this page within 7 days of any subprocessor change — whether or not it is preceded by the 30-day announcement — so that the page and the runtime never drift more than a calendar week apart.
Changelog
- 2026-05-02 (Phase E-5): BlueSnap fully removed. The BlueSnap webhook receiver, provider implementation, and all BLUESNAP_* environment variables were deleted from the runtime. Paddle is the sole production payment subprocessor + Merchant of Record. Card data is collected on Paddle’s hosted checkout overlay at
/checkout; Cloudarq servers continue to never see raw PAN or CVV. Historical BlueSnap row references in the database were stripped of theirbs_prefix in Alembic migration v55. - 2026-05-02 (Phase E-1): Paddle promoted from “scheduled” to active subprocessor as the new Merchant of Record. Tax handling globally now flows through Paddle. BlueSnap was moved to a “Phasing Out” table for the duration of the in-flight migration (see the Phase E-5 entry above for the deletion deploy).
- 2026-05-01: Cross-check audit. Verified each row against production runtime:
PAYMENT_PROVIDERnot set in.env.prod→ BlueSnap-active confirmed (code default).SENTRY_DSN,ANTHROPIC_API_KEY,RESEND_API_KEYall set + active. Reconciled the Privacy Policy §3 subprocessor table to match this page (had been missing Cloudflare and Sentry rows since their 2026-04-19 addition here). No subprocessor changes; the lineup is identical to 2026-04-21. - 2026-04-21: Corrected Paddle status: code-complete but not yet active. Previous wording suggested Paddle was a non-functional stub; that stopped being true as of the
T4-*commits between 2026-04-18 and 2026-04-20. The data-handling posture is unchanged (no traffic flows to Paddle untilPAYMENT_PROVIDERis flipped); only the accuracy of the disclosure has been corrected. - 2026-04-19 (emergency audit): Added Cloudflare and Sentry as active subprocessors; both had been operating as de-facto data-handlers without explicit disclosure. Added Paddle under “scheduled, not yet live” to give customers the 30-day notice window before the Prompt-10 payment-provider cutover lands. Linked each subprocessor to its public DPA.
- 2026-04-18: Initial public subprocessor list (Hetzner, BlueSnap, Anthropic, Resend, Plausible, AWS).
Contact
Questions about subprocessors, DPAs, or SCCs: [email protected].