Sub-processors
A sub-processor is a third party that processes your data on our behalf. We keep the list short on purpose — every additional sub-processor is another vendor to audit and another DPA to negotiate.
Current list
| Sub-processor | Purpose | Region |
|---|---|---|
| Hetzner Online GmbH | Application hosting + object storage | EU (Germany) and US (Virginia) |
| Stripe, Inc. | Subscription billing and payment processing | US, with EU data routing for EU customers |
| Postmark (ActiveCampaign) | Outbound transactional email (notifications, autoresponders, receipts) | US, with EU data routing on Pro+ |
| Akismet (Automattic) | Spam classification for submissions | US |
| hCaptcha (Intuition Machines) | Human-verification challenge on hosted forms | Routed regionally |
That's it. No analytics tracker on customer-facing submission pages, no shadow vendors, no data shared with anyone outside this list.
Hetzner
What it does: runs our virtual machines, our managed databases, and our S3-compatible object storage.
What we send it: everything. Submissions, files, encrypted database state, application logs.
Why: Hetzner is one of the few hosts that offers high-quality EU-resident infrastructure at a price that lets us run a fair pricing model. Data centers are in Germany (FSN1, NBG1, HEL1) and the US (ASH1). Hetzner is GDPR-compliant and signs SCCs for any cross-region transfers.
DPA reference: linked from our DPA.
Stripe
What it does: processes credit cards, runs subscription billing, generates invoices, handles SCA / 3DS, hosts the customer billing portal.
What we send it: customer email, billing address, the invoice line items, and (via the customer's browser, never via our backend) card numbers. Tax IDs if you've supplied them. We never see full PANs ourselves — see payment methods for the boundary.
Why: Stripe is the boring correct answer for billing. PCI-DSS Level 1, SOC 2 Type II, and they handle SCA + tax + invoicing in a way that's hard to replicate.
Region: Stripe is US-headquartered but supports EU data routing for European customers. EU customer data is processed on EU infrastructure under SCCs.
DPA reference: stripe.com/dpa.
Postmark
What it does: sends transactional email — submission notifications to form owners, autoresponders to submitters, billing receipts, account emails.
What we send it: the recipient's email address, the message body (which contains the submission payload for notifications, or the autoresponder template for autoresponders), and minimal metadata.
Why: Postmark has the highest deliverability of any transactional provider we've tested. They route from dedicated IPs and they're aggressive about cutting off spammers, which keeps our reputation clean.
Region: US-headquartered. Pro and Team customers are routed via Postmark's EU servers (Dublin); Free customers are US-routed because Postmark gates EU routing behind a paid tier on their side.
DPA reference: postmarkapp.com/dpa.
Akismet
What it does: classifies submissions as spam or ham. We send the form payload (sanitized of fields you've marked as PII) plus minimal context (IP, user agent, the form's URL) and Akismet returns a verdict + confidence score.
What we send it: as little as possible — fields you've marked as pii: true in the form schema are stripped before being sent. By default, the email field, IP, and free-text body fields are sent. See spam classification for what you can opt out of.
Why: Akismet is good at spam, and spam is our biggest filtering challenge. Their dataset spans millions of WordPress sites, which gives them signal we couldn't build alone.
Region: US-only. There's no EU-routed Akismet. If your DPA prohibits any US-routed processing of submission data, disable Akismet on the form (under Form → Spam protection) and rely on hCaptcha + our internal heuristics + AI moderation instead.
DPA reference: akismet.com/privacy.
hCaptcha
What it does: presents a human-verification challenge before a submission is accepted. The challenge is rendered in the submitter's browser and the verification token is sent to our backend, which calls hCaptcha to confirm.
What we send it: the verification token, the submitter's IP, and the site key. The submission payload itself is not sent to hCaptcha.
Why: hCaptcha is the privacy-respecting alternative to reCAPTCHA. They don't sell user data or run a global advertising graph off challenge interactions, and they're routed regionally so EU users hit EU-hosted challenge servers.
Region: globally distributed; hCaptcha auto-routes based on submitter geography.
DPA reference: hcaptcha.com/privacy.
What about other things you might expect to see here?
- No analytics on submission endpoints. We don't load Google Analytics, Plausible, or anything else on
formspring.io/f/.... Submissions are processed without third-party JS. - No CDN data path for submissions. Cloudflare fronts our marketing site, but submission POSTs go directly to our origin, bypassing the CDN.
- No AI sub-processor. AI moderation and AI insights run on infrastructure we control inside the same Hetzner region as the rest of your data. We do not call OpenAI, Anthropic, or any external LLM provider for customer submission data.
Adding a sub-processor
We notify Pro+ customers by email at least 30 days before adding a new sub-processor. The notification includes the vendor, the purpose, and any change to data flow. You have the option to terminate before the new sub-processor goes live if you object — see your DPA for the formal mechanism.
What's next
- GDPR → — the formal posture and DSAR flow
- Regional hosting → — where the primary data lives
- Encryption → — what's encrypted and where
- Data retention → — how long things stick around