Skip to main content
DRIFTSTACK

Sub-processors.

The complete list of organisations that process customer data on Driftstack's behalf, the region they operate in, what they do, and the contractual basis under which any non-EU transfer happens.

This page is the customer-facing source of truth for sub-processor changes. Adding or removing an entry triggers a 30-day notice to all customers per Article 28(2) of the GDPR; the same content also lives in Annex 3 of the Data Processing Agreement.

Last updated: 2026-07-07

Sub-processor Region Purpose Transfer mechanism (legal basis for any data leaving the EU)
Hetzner Cloud Falkenstein, Germany (EU) Compute infrastructure for the Driftstack control plane. EU-resident — no transfer required.
Neon Frankfurt (EU) Our managed database (Postgres) — stores account, session, and audit data. EU-resident — no transfer required.
Upstash Frankfurt (EU) Fast temporary storage (managed Redis) — holds short-lived login-check (auth-cache) and rate-limit data. EU-resident — no transfer required.
Cloudflare R2 Default jurisdiction (data replicated EU + US) Object storage for customer-uploaded profile avatars, encrypted profile blobs, and public status-page snapshots. 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.
Postmark EU sending region Transactional email (signup verification, password reset, billing notifications, support correspondence). 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.
Sentry EU region (ingest.de.sentry.io) Error monitoring and observability for the Driftstack control plane. EU ingest region — no transfer required for error data.
Stripe Stripe Payments Europe Ltd (Ireland) Payment processing, subscription management, usage-based billing for the bring-your-own-key (BYOK) AI option, and VAT (Dutch BTW) reverse-charge handling via Stripe Tax. 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.
Anthropic United States Large language model (LLM) behind the optional AI agent feature. Engaged in two modes: (1) Bring your own key (BYOK) — the customer supplies their own Anthropic API key; the customer's contract is with Anthropic directly, and Driftstack only passes the request through without keeping it (a transient proxy). (2) Bundled — opt-in only; Driftstack uses its own key (deployment-managed) and bills the customer at a markup. Session data flows to Anthropic only when one of these two modes is actually used in a given AI step. 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.
Moneybird Netherlands (EU) Accounting and invoicing operations for the Driftstack BV. EU-resident — no transfer required.
MacStadium United States Mac hardware hosting for the iPhone Safari session execution fleet. 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.
NowPayments NowPayments OÜ (Estonia, EU) Cryptocurrency payment processing (BTC, LTC, USDT, USDC, ETH, XMR). Engaged only when a customer opts to pay with cryptocurrency at checkout; bypassed entirely for Stripe-paying customers. Inside the EEA (the EU plus Iceland, Liechtenstein, and Norway) — no transfer mechanism required.
LiveKit United States (regional endpoints; EU preferred) Carries the live video stream (WebRTC; LiveKit provides the connection setup and video relay servers — signaling and media SFU) for the optional "live session" feature, where the customer or Driftstack support watches an in-progress browser session in real time. Disabled by default; engaged only when explicitly initiated. 2021 Standard Contractual Clauses + EU-US Data Privacy Framework.

Region preference vs. region routing.

The "region" you can pick from /settings → Region (us / eu / apac) is a stated preference. It does not move your data. Today, every customer's database-resident data — account, profiles, sessions, audit logs — resides on the EU-resident infrastructure listed in the table above, regardless of region preference. File objects on Cloudflare R2 (avatars, encrypted profile blobs, public status snapshots) use R2's default jurisdiction, which replicates between the EU and the US under the transfer mechanism listed in the table.

The preference exists so we can route accounts to the matching region automatically once the multi-region rollout lands. When that happens, customers who selected a non-EU region will be notified 30 days before any of their data is migrated, with the opportunity to keep their data in the EU or terminate the affected portion of the service. The Article 28(2) sub-processor amendment mechanics on this page apply unchanged.

Until the multi-region rollout ships, leaving the field as "no preference" produces identical behaviour to selecting "eu".

Change log.

Every meaningful change to this list is recorded here permanently — entries are never edited or removed (an immutable record). Cosmetic edits (rewording, typo fixes) don't qualify and aren't logged.

  1. 2026-07-07

    Cloudflare R2

    Material change

    Correction: the Cloudflare R2 row previously described the storage as "EU jurisdiction — no transfer required" and listed "session recordings and screenshots". In fact the R2 buckets use the default jurisdiction, which replicates data between the EU and the US, so a transfer mechanism applies (2021 Standard Contractual Clauses + EU-US Data Privacy Framework), and the objects actually stored are customer-uploaded profile avatars, encrypted profile blobs, and public status-page snapshots (session recording is not a live feature). This is a correction of the register to describe existing processing accurately — the processing itself did not change.

    Effective: 2026-07-07

  2. 2026-05-10

    Register-level entry

    Register published

    Initial sub-processor register published as part of pre-launch transparency. The register reflects the sub-processors in production at the time of publication; future material changes are recorded here, each with the 30-day notice GDPR Article 28(2) requires.

    Effective: 2026-05-10

How sub-processor changes work.

When Driftstack engages a new sub-processor, removes one, or materially changes the role of an existing one, customers receive notice at least 30 days before the change takes effect. The notice states what's changing, the contractual basis for any new transfer, and the cut-off date for raising objections.

Customers who object to a sub-processor change have the right to terminate the affected portion of the service before the change takes effect. The mechanics live in the DPA (Article 28(2) — Sub-processor amendment).

For questions about the list, email privacy@driftstack.dev.