Sub-processors · revFADP transparency

Sub-processors

This public page lists all the sub-processors («data processors») that HelvetData engages to deliver the Service. It is kept up to date on every addition or change, pursuant to art. 9 revFADP and art. 28 GDPR. Any objection to a sub-processor may be sent to privacy@helvetdata.ch ; HelvetData will review the request within thirty (30) days.

Table below: name, country, purpose, status of the data-processing agreement (DPA), date added, data shared.

Last updated · 14 May 2026

Sub-processor	Country	Purpose	DPA	Date added	Data shared
Hetzner Online GmbHPrivacy policy	Germany (Falkenstein DE + Helsinki FI data centers)	Infrastructure hosting (servers, database, object storage).	Signed	2026-04-01	All technical and application data (encrypted at rest with AES-256).
Stripe Payments Europe LtdPrivacy policy	Ireland (transfers to USA framed by SCC + EU-US DPF)	Card and IBAN payment processing, Stripe Tax invoicing.	Signed	2026-04-01	First name, last name, billing address, email, payment metadata. No card data is transmitted to HelvetData.
Resend Inc.Privacy policy	United States (SCC signed, DPA signed)	Transactional email delivery (account verification, alerts, invoices, notifications).	Signed	2026-05-14	Email address, first name, content of transactional emails.
Sentry GmbHPrivacy policy	Germany	Technical error tracking and application observability.	Signed	2026-04-01	Anonymized stack traces, technical session identifier, browser. No identifying personal data.
PostHog Inc.Privacy policy	United States (SCC signed, DPA signed)	Product analytics, opt-in audience measurement after cookie banner consent.	Signed	2026-04-01	Anonymized session identifier, navigation events, anonymized IP (last octet masked). No nominative data.

Hetzner Online GmbH

Signed

Country: Germany (Falkenstein DE + Helsinki FI data centers)
Purpose: Infrastructure hosting (servers, database, object storage).
Data shared: All technical and application data (encrypted at rest with AES-256).
Date added: 2026-04-01

Stripe Payments Europe Ltd

Signed

Country: Ireland (transfers to USA framed by SCC + EU-US DPF)
Purpose: Card and IBAN payment processing, Stripe Tax invoicing.
Data shared: First name, last name, billing address, email, payment metadata. No card data is transmitted to HelvetData.
Date added: 2026-04-01

Resend Inc.

Signed

Country: United States (SCC signed, DPA signed)
Purpose: Transactional email delivery (account verification, alerts, invoices, notifications).
Data shared: Email address, first name, content of transactional emails.
Date added: 2026-05-14

Sentry GmbH

Signed

Country: Germany
Purpose: Technical error tracking and application observability.
Data shared: Anonymized stack traces, technical session identifier, browser. No identifying personal data.
Date added: 2026-04-01

PostHog Inc.

Signed

Country: United States (SCC signed, DPA signed)
Purpose: Product analytics, opt-in audience measurement after cookie banner consent.
Data shared: Anonymized session identifier, navigation events, anonymized IP (last octet masked). No nominative data.
Date added: 2026-04-01

Notes:

DPA = Data Processing Agreement (sub-processing contract art. 9 revFADP / art. 28 GDPR).
All transfers outside Switzerland and the EU are framed by Standard Contractual Clauses (SCC) approved by the European Commission and the FDPIC, and where applicable by the EU-US Data Privacy Framework adequacy decision dated 10 July 2023.
No sub-processor receives data scraped from Swiss public registers : that data remains stored on Hetzner (EU) only.
When a new sub-processor with potential access to personal data is added, Customers will be notified by email at least thirty (30) days before effective production rollout, in accordance with art. 28.2 GDPR.