Sub-processors
A sub-processor is a third party that processes your data on our behalf. We keep the list short on purpose - every additional sub-processor is another vendor to audit and another DPA to negotiate.
Current list
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Application hosting + object storage | EU (Germany) and US (Virginia) |
| Stripe, Inc. | Subscription billing and payment processing | US, with EU data routing for EU customers |
| Postmark (ActiveCampaign) | Outbound transactional email (notifications, autoresponders, receipts) | US, with EU data routing on Pro and above |
| Akismet (Automattic) | Spam classification for submissions | US |
| hCaptcha (Intuition Machines) | Human-verification challenge on hosted forms | Routed regionally |
| OpenAI, L.L.C. | AI moderation scores, AI insights, and AI-drafted replies - only for teams on plans with AI features, and only on forms where those features are switched on | US |
That's it. No analytics tracker on customer-facing submission pages, no shadow vendors, no data shared with anyone outside this list.
Hetzner
What it does: runs our virtual machines, our managed databases, and our S3-compatible object storage.
What we send it: everything. Submissions, files, encrypted database state, application logs.
Why: Hetzner is one of the few hosts that offers high-quality EU-resident infrastructure at a price that lets us run a fair pricing model. Data centers are in Germany (FSN1, NBG1, HEL1) and the US (ASH1). Hetzner is GDPR-compliant and signs SCCs for any cross-region transfers.
DPA reference: linked from our DPA.
Stripe
What it does: processes credit cards, runs subscription billing, generates invoices, handles SCA / 3DS, hosts the customer billing portal.
What we send it: customer email, billing address, the invoice line items, and (via the customer's browser, never via our backend) card numbers. Tax IDs if you've supplied them. We never see full PANs ourselves - see payment methods for the boundary.
Why: Stripe is the boring correct answer for billing. PCI-DSS Level 1, SOC 2 Type II, and they handle SCA + tax + invoicing in a way that's hard to replicate.
Region: Stripe is US-headquartered but supports EU data routing for European customers. EU customer data is processed on EU infrastructure under SCCs.
DPA reference: stripe.com/dpa.
Postmark
What it does: sends transactional email - submission notifications to form owners, autoresponders to submitters, billing receipts, account emails.
What we send it: the recipient's email address, the message body (which contains the submission payload for notifications, or the autoresponder template for autoresponders), and minimal metadata.
Why: Postmark has the highest deliverability of any transactional provider we've tested. They route from dedicated IPs and they're aggressive about cutting off spammers, which keeps our reputation clean.
Region: US-headquartered. Pro and Team customers are routed via Postmark's EU servers (Dublin); Free customers are US-routed because Postmark gates EU routing behind a paid tier on their side.
DPA reference: postmarkapp.com/dpa.
Akismet
What it does: classifies submissions as spam or ham. We send the form payload (sanitized of fields you've marked as PII) plus minimal context (IP, user agent, the form's URL) and Akismet returns a verdict + confidence score.
What we send it: as little as possible - fields you've marked as pii: true in the form schema are stripped before being sent. By default, the email field, IP, and free-text body fields are sent. See spam classification for what you can opt out of.
Why: Akismet is good at spam, and spam is our biggest filtering challenge. Their dataset spans millions of WordPress sites, which gives them signal we couldn't build alone.
Region: US-only. There's no EU-routed Akismet. If your DPA prohibits any US-routed processing of submission data, disable Akismet on the form (under Form → Spam protection) and rely on hCaptcha + our internal heuristics. Note that AI moderation also routes through a US provider (see OpenAI below), so leave it off too in that case.
DPA reference: akismet.com/privacy.
hCaptcha
What it does: presents a human-verification challenge before a submission is accepted. The challenge is rendered in the submitter's browser and the verification token is sent to our backend, which calls hCaptcha to confirm.
What we send it: the verification token, the submitter's IP, and the site key. The submission payload itself is not sent to hCaptcha.
Why: hCaptcha is the privacy-respecting alternative to reCAPTCHA. They don't sell user data or run a global advertising graph off challenge interactions, and they're routed regionally so EU users hit EU-hosted challenge servers.
Region: globally distributed; hCaptcha auto-routes based on submitter geography.
DPA reference: hcaptcha.com/privacy.
OpenAI
What it does: powers the optional AI features - per-submission moderation scores, AI insights summaries, submission categorization, and AI-drafted autoresponder replies.
What we send it: the submission content needed for the specific feature, and nothing else. No account data, no billing data, no files. Nothing is sent unless your team's plan includes AI features and you have switched the specific AI feature on for the form - both conditions are enforced server-side before any AI job is dispatched.
Why: a dedicated language model materially out-performs heuristics for moderation and summarization. We use OpenAI's API under their business terms: API data is not used to train their models, and their standard retention window applies.
Region: US. If your DPA prohibits US-routed processing of submission data, leave AI features off - the product works fully without them.
DPA reference: openai.com/policies/data-processing-addendum.
What about other things you might expect to see here?
- No analytics on submission endpoints. We don't load Google Analytics, Plausible, or anything else on
formspring.io/f/.... Submissions are processed without third-party JS. - No CDN data path for submissions. Cloudflare fronts our marketing site, but submission POSTs go directly to our origin, bypassing the CDN.
- AI processing is opt-in, twice over. No submission data is sent to any AI provider unless your plan includes AI features and you have enabled the specific feature on the form. Teams that never turn AI on never have submission data leave our infrastructure for AI processing.
Adding a sub-processor
We notify customers on Pro and above by email at least 30 days before adding a new sub-processor. The notification includes the vendor, the purpose, and any change to data flow. You have the option to terminate before the new sub-processor goes live if you object - see your DPA for the formal mechanism.
What's next
- GDPR → - the formal posture and DSAR flow
- Regional hosting → - where the primary data lives
- Encryption → - what's encrypted and where
- Data retention → - how long things stick around