Hetzner Online GmbH
Purpose: hosting the application, databases, and background jobs, plus S3-compatible object storage for file uploads. Region: Germany (Frankfurt, Nuremberg, Falkenstein). Basis: data processing agreement under Article 28 GDPR.
Stripe Payments Europe Ltd.
Purpose: payment processing, subscriptions, invoicing, and tax collection. Region: Ireland (EU); Stripe processes payment data as an independent controller. Basis: Stripe Data Processing Agreement, with Standard Contractual Clauses for any onward transfers.
Postmark (Wildbit LLC / ActiveCampaign)
Purpose: sending transactional email (submission notifications, autoresponders, and account email). Region: EU data center (Frankfurt). Basis: data processing agreement under Article 28 GDPR.
hCaptcha (Intuition Machines, Inc.)
Purpose: optional, per-form CAPTCHA verification, active only when a customer enables it. Region: United States, with Standard Contractual Clauses. Basis: hCaptcha DPA.
Automattic Inc. (Akismet)
Purpose: optional, per-form spam scoring (bring-your-own-key or platform key). Region: United States, with Standard Contractual Clauses. Basis: Automattic DPA.
Anthropic PBC (optional)
Purpose: optional AI moderation, categorization, summaries, and autoresponder drafts on paid plans. Region: United States, with Standard Contractual Clauses; zero-retention mode enabled. Basis: Anthropic Commercial Terms and DPA.
OpenAI Ireland Ltd. (optional)
Purpose: alternative AI provider for embeddings and duplicate detection, used only when a customer enables it. Region: Ireland (EU). Basis: OpenAI DPA.
Self-hosted analytics (Pixel & Process UG)
Purpose: cookieless, anonymous web analytics for the marketing site. Region: Germany. No third-party processing relationship; no access to submission data.