Third-Party Services

Google

Google operates a comprehensive ecosystem of cloud-based services, platforms, and tools that span consumer applications, enterprise solutions, and developer infrastructure. According to Google's official documentation, their service portfolio includes consumer-facing products such as Search, Gmail, YouTube, Google Maps, and Chrome browser, alongside enterprise and developer solutions including Google Cloud Platform, Google Workspace, Firebase, Google Analytics, and Google Ads. These services are designed to help individuals and organizations store data, communicate, analyze information, develop applications, and reach audiences across web and mobile platforms. Google's infrastructure processes data from billions of users globally, making it one of the largest data processors in the technology industry. For developers specifically, Google provides backend infrastructure through Firebase and Google Cloud Platform, analytics capabilities through Google Analytics, advertising networks, authentication services, storage solutions, and various APIs that can be embedded into third-party applications and websites. When developers integrate these services, they typically enter into a data processing relationship where Google acts as a processor handling data on behalf of the developer (who serves as the controller), though this relationship varies depending on the specific service and how it is implemented.

GitHub OAuth

GitHub OAuth Authentication is an identity and authorization service that allows third-party applications to request access to a user's GitHub account data without requiring the user's password. According to GitHub's official documentation, OAuth 2.0 is the protocol that enables external applications to request authorization to access private details in a user's GitHub account. When developers integrate GitHub OAuth into their applications, they are implementing a standardized authentication flow where users can grant specific permissions (called scopes) to the application, allowing it to perform actions on the user's behalf or access particular types of data from their GitHub account. GitHub OAuth operates as part of GitHub's broader platform, which is owned by Microsoft Corporation (GitHub's parent company since the 2018 acquisition). According to the GitHub Privacy Statement effective April 27, 2026, GitHub, Inc. and GitHub B.V. act as Data Controllers for personal data processed through their services. When developers use GitHub OAuth in their applications, they are establishing a data flow where GitHub authenticates the user, the user grants permissions, and GitHub then provides the application with an access token that can be used to access GitHub's API on the user's behalf. The OAuth flow enables applications to obtain different levels of access depending on the scopes requested. These can range from basic read-only access to public information, to write access for modifying repositories, to access for reading private email addresses or managing organization memberships. According to GitHub's documentation, OAuth Apps authenticate as a single user and the access token inherits all permissions that the user has, limited only by the scopes granted during authorization.

Sign in with Apple

Sign in with Apple is Apple Inc.'s authentication and identity service that allows users to create accounts and sign in to third-party applications and websites using their Apple Account (formerly Apple ID). According to Apple's official documentation, Sign in with Apple was designed from the ground up to protect user privacy and give users control over their personal information. The service was announced at Apple's Worldwide Developers Conference in June 2019 and became available with iOS 13, macOS Catalina, tvOS 13, and watchOS 6. According to Apple's developer documentation, Sign in with Apple works across all Apple platforms including iOS, iPadOS, macOS, visionOS, tvOS, and watchOS, and can also be implemented on websites and applications running on non-Apple platforms through web-based authentication. When developers integrate Sign in with Apple into their applications, they are implementing an authentication flow where users can set up an account using only their Apple Account credentials, without necessarily sharing their personal email address or other identifying information with the developer. The core privacy feature that distinguishes Sign in with Apple from other authentication services is its "Hide My Email" functionality. According to Apple's privacy documentation, when users choose to use this feature, Apple generates a unique, random email address that forwards messages to the user's personal email address. This allows users to receive communications from the application without revealing their actual email address to the developer. Each generated email address is unique to the specific app or developer, preventing cross-app tracking through email addresses. From a technical perspective, Sign in with Apple uses an OpenID Connect-like protocol to federate user accounts. According to Apple's developer documentation, the service provides developers with a unique user identifier that is specific to each developer's application. This means the same user will have different unique identifiers across different apps, preventing developers from colluding to track users across services. The authentication is secured with two-factor authentication, and on Apple devices, users can authenticate using Face ID, Touch ID, or their device passcode. According to Apple's App Store Review Guidelines, if a third-party app offers account creation or authentication using social login services (such as Facebook Login, Google Sign-In, Twitter Login, etc.), it must also offer Sign in with Apple as an equivalent option. This requirement ensures that users who prefer privacy-preserving authentication methods have that option available. However, apps that use only their own proprietary account system (email and password) are not required to implement Sign in with Apple.

Auth0

Auth0 is a comprehensive authentication and authorization platform that provides developers with the infrastructure to secure applications, APIs, and devices. Auth0 was founded in 2013 as an independent company and was acquired by Okta, Inc. in May 2021 for approximately $6.5 billion. Following the acquisition, Auth0 continues to operate as a distinct product line under the Okta umbrella, branded as "Auth0 by Okta" or as part of Okta's "Customer Identity Cloud" offerings, though it maintains its own developer-focused identity and documentation. According to Auth0's official documentation, the platform provides identity-as-a-service functionality that allows developers to add authentication and authorization to their applications without building these systems from scratch. The service supports various authentication methods including traditional username and password, social login integrations (Google, Facebook, Twitter, GitHub, etc.), enterprise identity providers (Active Directory, LDAP, SAML, OpenID Connect), passwordless authentication (email magic links, SMS codes), and multi-factor authentication. Auth0 implements industry-standard protocols including OAuth 2.0, OpenID Connect, SAML, and WS-Federation. From an architectural perspective, Auth0 operates as a multi-tenant cloud service, though it also offers private cloud deployment options for enterprise customers with specific compliance or data residency requirements. According to Okta's subprocessor documentation, Auth0's public cloud deployment allows customers to select their geographic region during initial setup, with options including United States, Canada, United Kingdom, European Union, Japan, and Australia. For private cloud deployments, additional regions are available including Brazil, Germany, Hong Kong, Indonesia, Ireland, Italy, United Arab Emirates, France, Sweden, South Africa, Bahrain, India, South Korea, Singapore, and Mexico. The core value proposition of Auth0 centers on reducing the complexity and security risks associated with building custom authentication systems. According to Auth0's product documentation, the platform handles user registration, login, password reset, session management, token generation and validation, user profile storage, and integration with external identity providers. This allows developers to focus on their application's core functionality while delegating identity management to Auth0's specialized infrastructure. Auth0's product suite has expanded significantly over the years to include not just authentication but also authorization features through Auth0 Actions (customizable authentication flows), Auth0 Rules (deprecated but still supported custom logic), Fine-Grained Authorization for complex permission models, Organizations for B2B multi-tenancy, and Attack Protection features for bot detection and brute force prevention. According to Okta's product categorization, Auth0 primarily serves the Customer Identity and Access Management (CIAM) market, focusing on consumer-facing applications, though it can also be used for workforce identity in smaller organizations. An important aspect for developers to understand is Auth0's role in data processing. According to Auth0's GDPR compliance documentation, in the typical deployment scenario, Auth0's customers (the developers/organizations implementing Auth0) are the data controllers who determine what user data to collect and how to use it, while Auth0 acts as a data processor that handles the data according to the customer's instructions as specified in the Data Processing Addendum. This controller-processor relationship has significant implications for privacy compliance responsibilities, which will be detailed in later sections of this profile.

Clerk

Clerk provides authentication and user management solutions for developers building web and mobile applications. As authentication infrastructure, Clerk processes sensitive user credentials, session data, and identity information on behalf of customers. The service operates on a clear controller-processor model where customers are data controllers for their end users' information while Clerk acts as processor. Data Processing Addendum with Standard Contractual Clauses automatically incorporated in service terms. Primary infrastructure hosted on Google Cloud Platform in United States with comprehensive subprocessor list including Cloudflare (CDN/WAF), Datadog and Sentry (monitoring), Twilio ecosystem (SendGrid email, Twilio SMS, Segment analytics), Stripe (payments), Svix (webhooks), and Vercel (web hosting). Clerk is self-certified under EU-US Data Privacy Framework for transfers from EEA, UK, and Switzerland. Compliance certifications include SOC 2 Type II, HIPAA eligibility, and CCPA compliance. Critical distinction: Clerk processes two categories of data—Customer Data (end user credentials and profile information governed by DPA where customers are controllers) and Account Information (customer organization details governed by Clerk's Privacy Policy where Clerk is independent controller). Security features include HttpOnly cookies for XSS protection, SameSite flags for CSRF prevention, session token rotation, breach detection via HaveIBeenPwned, and regular third-party penetration testing.

Kinde

Kinde (Kinde Australia Pty Ltd) is Australian-based developer platform headquartered near Byron Bay, New South Wales combining authentication, access management, billing, and feature management for SaaS products and AI applications. Founded for SaaS founders and product teams, platform serves thousands of businesses globally providing developer infrastructure for B2B and B2C authentication, user management, organization management, role-based access control, feature flags, billing integration with Stripe Connect, and custom workflows. Operating under clear controller-processor distinction, Kinde acts as data processor for end-user authentication data (individuals signing into customer applications) while customers maintain controller role determining authentication methods, user access policies, and data retention. For customer account information (developer accounts managing Kinde platform), Kinde acts as independent controller. Data Processing Agreement available upon request from [email protected] establishes processor obligations including compliance with GDPR, UK GDPR, CCPA/CPRA, and other international and US state privacy laws. DPA incorporates Standard Contractual Clauses and UK International Data Transfer Agreement for GDPR-compliant international transfers though specific SCC version not disclosed in public documentation. Compliance certifications include ISO 27001:2022 certified by Compass Assurance Services (public listing available on JASANZ certified organizations register and IAF CertSearch register), SOC 2 Type II in progress according to typical SaaS maturity trajectory, HIPAA compliant with Business Associate Agreement available upon request from support, CCPA/CPRA compliant, and Cloud Security Alliance Consensus Assessments Initiative Questionnaire Level 1 self-assessment submitted to public STAR registry. Privacy framework follows Australian Privacy Act 1988 (Cth) with additional protections for EU/EEA/UK individuals under GDPR. Data Protection Officer contactable via [email protected]. Infrastructure hosting not comprehensively disclosed though platform available through AWS Marketplace suggesting potential AWS infrastructure. Pricing structure includes Free plan (10,500 monthly active users with no credit card required, includes authentication, organizations, feature flags, workflows), Starter, Growth, Pro, Scale, and Enterprise tiers with volume discounts and dedicated infrastructure options. Business model based on monthly active user subscriptions and paid customer billing (customers paying through Kinde billing features do not count toward MAU allowance per no-double-dipping policy) not selling personal data according to explicit Privacy by Design commitment. Platform features include comprehensive authentication options (password, passwordless, social login from dozens of providers including Google/Facebook/Apple/GitHub, SAML SSO, MFA with TOTP/SMS/authenticator apps, passkeys, machine-to-machine authentication), advanced organization management for multi-tenant B2B businesses (hierarchical structures, default roles, email domain-based auto-assignment), role-based access control with custom permissions, feature flags for release management integrated with authentication, Stripe Connect billing integration for subscriptions and entitlements, workflows written in TypeScript/JavaScript synced to Git repositories, custom authentication pages with full HTML/CSS/JavaScript control, webhooks for event-driven integrations, and audit logs providing visibility into user authentication activity. Data collected deliberately minimized following Privacy by Design principle—authentication typically collects first name, last name, and email address with potentially less information depending on social provider integration (some providers only provide email or custom identifier without revealing personal details). Technical and organizational measures include encryption for data in transit and at rest, access controls, incident response procedures, Data Protection Impact Assessments completed for key processing activities, Records of Processing Activities maintained per GDPR Article 30, and privacy surveys conducted across departments identifying personal data handling. Subprocessor list not publicly maintained - customers requiring detailed subprocessor documentation should request via [email protected].

Okta

Okta, Inc. is publicly traded identity and access management company headquartered in San Francisco, California providing cloud-based identity platform serving both workforce identity (securing employee access to applications and systems) and customer identity (securing end-user authentication for digital products via Auth0 platform). Platform serves organizations across all industries and sizes securing authentication, authorization, single sign-on, multi-factor authentication, lifecycle management, and AI agent identity for billions of identity events. Operating under controller-processor distinction, Okta acts as data processor for Customer Data (end-user identity data processed on behalf of organizations deploying Okta for workforce or customer authentication) while customers act as data controllers determining processing purposes and means. For Okta Platform Data and Usage Data (operational metadata, telemetry, service improvement data), Okta acts as independent controller per legitimate business purposes. Data Processing Addendum published January 2026 (Rev 011426) publicly available at okta.com/trustandcompliance automatically incorporated into Master Subscription Agreement establishing processor obligations including Standard Contractual Clauses and UK Addendum for GDPR-compliant international transfers with explicit prohibition on selling or sharing personal data as defined under US Privacy Laws. Okta maintains published subprocessors list (March 2026, Rev 03122026) at okta.com/trust/subprocessors with email notification subscription for changes via [email protected] and 10-business-day objection window for customers with DPA in place—one of the most transparent subprocessor management frameworks among identity providers. Infrastructure built on cell-based architecture deploying isolated, shared-nothing, identical replicas of service across AWS regions globally with cells located in US, EMEA, Japan, Australia, Canada, and India enabling customers to purchase local cells for data residency compliance—cell approach provides isolation boundaries, fault containment, and compliance-specific configurations including HIPAA and FedRAMP compliant cells. Compliance certifications include FedRAMP Moderate authorization (as of March 2026), SOC 2 Type II, ISO 27001, CSA STAR Level 2 attestation (first identity provider to achieve this level), HIPAA Business Associate Agreement available, EU-US Data Privacy Framework certification, and compliance with GDPR, UK GDPR, CCPA/CPRA, and numerous other global privacy regulations. Security incident history note: Okta experienced significant security incidents in 2022 and 2023 affecting customer data—developers should review post-incident security improvements and obtain current security documentation when evaluating. Published subprocessors (March 2026) include AWS (primary infrastructure), Auth0 Argentina S.A., Auth0 Uruguay S.A., Spera Cybersecurity Inc. (Delaware), Spera Cybersecurity Ltd. (Israel), Axiom Security Ltd. (Israel), Salesforce.com Inc., Twilio Inc., and others published at okta.com/trust/subprocessors. Pricing spans free Developer Edition (100 monthly active users for Workforce Identity), various Workforce Identity plans, and Customer Identity Cloud (formerly Auth0) plans from free (7,500 MAU) to enterprise with custom pricing. Platform serves thousands of enterprise customers including many Fortune 500 companies across healthcare, financial services, government, technology, retail, and other regulated industries. Business model based on identity platform subscriptions not selling personal data—DPA explicitly prohibits selling or sharing Personal Data and prohibits retaining, using, disclosing, or processing Personal Data for any purpose beyond business purposes specified in agreement.

Microsoft Intra ID

Microsoft Entra ID (formerly Azure Active Directory, rebranded 2023) is enterprise identity platform operated by Microsoft Corporation (Redmond, Washington) providing cloud-based identity and access management for workforce identity, customer-facing applications (Entra External ID), and business-to-business collaboration. Part of Microsoft's broader Entra product family alongside Entra ID Governance, Entra Verified ID, Entra Permissions Management, and Entra Workload Identities, Entra ID serves hundreds of millions of users across organizations ranging from SMBs to the largest global enterprises. Operating under clear controller-processor distinction per DPA (May 2026, most recent edition), Microsoft acts as data processor for Customer Data processed on behalf of organizations deploying Entra ID while customers act as data controllers determining processing purposes and means. DPA defines three data categories: Customer Data (data customers provide to Microsoft or generated on their behalf via services), Personal Data (data within Customer Data identifying individuals), and Professional Services Data (data provided during support and consulting engagements). DPA publicly downloadable at aka.ms/dpa with May 2026 edition incorporating Standard Contractual Clauses (2021 revision) for GDPR-compliant international transfers and EU-US Data Privacy Framework certification. EU Data Boundary program (finalized 2025) enables organizations with EU/EFTA billing addresses to store and process Customer Data and pseudonymized personal data in EU/EFTA data centers—Microsoft Entra ID enrolled in EU Data Boundary with documented exceptions including global publication of fraud signals (IP addresses and phone numbers determined fraudulent published globally for protective purposes) and multitenant collaboration scenarios where collaborating tenant outside EU boundary may cause egress. Critical CLOUD Act consideration: DPA explicitly states Microsoft may comply with valid legal process (government warrant) even if this conflicts with controller instructions—Microsoft commits to notify customers of government requests unless legally prohibited (gag orders frequently accompany CLOUD Act warrants). Compliance certifications among most extensive of any cloud provider including ISO 27001/27017/27018/27701, SOC 1/2/3, FedRAMP High authorization (Entra External ID), DoD Impact Levels 2/4/5/6, HIPAA BAA available, PCI DSS, FIPS 140, CSA STAR attestation and certification, and 100+ additional certifications documented at Microsoft Service Trust Portal (servicetrust.microsoft.com). Microsoft Online Services Subprocessors List published at Microsoft Trust Center identifies authorized subprocessors with contractual obligations and customer notification before new subprocessors added—customers may terminate without penalty upon written notice if not accepting new subprocessor. Infrastructure operated across Microsoft-owned and operated data centers globally in 60+ regions spanning all major continents with Azure Government and Government Secret clouds for US federal deployments. Pricing spans free tier (Entra ID Free included with Microsoft cloud services—core authentication, SSO for up to 10 apps, user provisioning for cloud apps), Entra ID P1 ($6/user/month), Entra ID P2 ($9/user/month including Identity Protection and Privileged Identity Management), and Entra ID Governance (additional advanced lifecycle and access governance features). Customer identity via Entra External ID priced separately per monthly active user. Business model based on licensing subscriptions—Microsoft does not use Customer Data for advertising, user profiling, or market research per DPA explicit commitment. Data not used for testing in production environments per DPA safeguard.

Stripe

Information will be available shortly.

PayPal

Information will be available shortly.

Razorpay

Information will be available shortly.

Paystack

Information will be available shortly.

Paddle

Information will be available shortly.

Lemon Squeezy

Information will be available shortly.

Gumroad

Information will be available shortly.

BitPay

BitPay Inc. is cryptocurrency payment processor and financial services company headquartered in United States, enabling businesses to accept cryptocurrency payments (Bitcoin, Ethereum, stablecoins, 100+ cryptocurrencies) with settlement in local fiat currency. Operating as regulated financial institution subject to Bank Secrecy Act, USA PATRIOT Act, and Office of Foreign Assets Control (OFAC) sanctions programs, BitPay maintains registration as Money Services Business with Financial Crimes Enforcement Network (FinCEN) and holds money transmitter licenses in applicable US states. BitPay B.V. operates European entity subject to Dutch Act on Prevention of Money Laundering and Terrorism Financing and Dutch Sanctions Act. Core service model converts cryptocurrency payments to fiat settlement—merchants receive next-business-day bank deposits in local currency without holding crypto, creating wallets, or managing blockchain addresses. Comprehensive AML/ATF/Sanctions compliance program includes mandatory KYC verification through Onfido identity verification platform for merchants accepting payments exceeding $10,000 and payout recipients. BitPay ID verification process requires government-issued identification, proof of address, live selfie verification using Onfido's biometric technology. Merchant verification thresholds vary by jurisdiction: United States requires verification above $3,000, European Union above €1,000. Privacy Policy subject to Gramm-Leach-Bliley Act—much personal information collected exempt from California Consumer Privacy Act due to federal financial services regulations. Headquarters located in United States with data processing occurring primarily in US infrastructure. BitPay B.V. Amsterdam office serves European operations. Identity verification subprocessor Onfido (now part of Entrust) maintains ISO 27001 certification and SOC 2 Type II compliance with EU and US data center options for data residency requirements. BitPay received SOC 2 audit addressing security of services. Security infrastructure includes multi-signature wallets requiring multiple participant signatures, mandatory two-factor authentication for transactions, local password storage on user devices rather than centralized servers, encryption for all transactions using modern cryptographic methods. EU Privacy Notice indicates transfers outside EEA with BitPay headquarters in United States—Standard Contractual Clauses available for international transfers though no publicly accessible Data Processing Addendum document. Retention policy aligns with federal and state financial services regulations requiring extended retention of customer due diligence and identification program data. No public subprocessor list maintained beyond Onfido identity verification disclosure. Cookie Policy describes strictly necessary cookies for site functionality, analytics cookies for traffic measurement, targeting cookies for marketing through partners including LinkedIn, Cloudflare for CDN and security services. Privacy Notice last updated date not specified in search results. Data Subject Request Portal available for GDPR, CCPA, LGPD rights exercises.

Appwrite

Appwrite is an open-source backend-as-a-service (BaaS) platform that provides developers with a complete backend infrastructure for building web, mobile, and AI applications. Founded as an open-source project, Appwrite distinguishes itself from traditional cloud services through its dual deployment model: developers can either use the managed Appwrite Cloud service or self-host Appwrite on their own infrastructure. This flexibility addresses both convenience and data sovereignty concerns, making Appwrite particularly attractive to developers with specific compliance requirements or those who prefer complete control over their infrastructure. According to Appwrite's official documentation and GitHub repository, the platform is designed as a set of microservices that run in containerized environments using Docker. The architecture provides developers with ready-to-use APIs for authentication, databases, file storage, serverless functions, messaging, real-time capabilities, and integrated web application hosting through Appwrite Sites. The platform supports multiple programming languages and frameworks through comprehensive SDKs, allowing developers to integrate backend functionality using familiar tools and languages. Appwrite's open-source nature means that the entire codebase is publicly available on GitHub, where developers can inspect the source code, contribute improvements, report issues, and even fork the project for customized deployments. According to the project's GitHub repository, Appwrite is licensed under a permissive open-source license, and the community actively contributes to its development. This transparency extends to security practices, as the open-source model allows independent security researchers to audit the code and report vulnerabilities. For developers choosing the managed cloud option, Appwrite Cloud represents a relatively recent offering. According to announcements on Appwrite's blog, Appwrite Cloud entered public beta and subsequently reached general availability in 2025. The cloud service follows a freemium model where developers can start building applications for free during the beta period, with paid tiers (Starter, Pro, Scale, and Enterprise) offering additional resources, features, and support. Importantly, Appwrite emphasized that during the cloud beta period, no credit card information would be collected from users, demonstrating a commitment to low-friction developer onboarding. A significant development in Appwrite Cloud's evolution was the April 2025 announcement of the "Appwrite Network," which represents Appwrite's vision for global cloud infrastructure. According to this announcement, Appwrite is building its own network of cloud regions and edge locations rather than simply reselling capacity from major cloud providers like AWS, Google Cloud, or Azure. This ambitious approach aims to provide developers with more control over data location, better performance through distributed edge computing, and compliance with local data regulations. As of May 2026, according to Appwrite's documentation, the network includes three primary regions: Frankfurt (FRA) in Germany, New York City (NYC) in the United States, and Sydney (SYD) in Australia, with additional regions planned for future expansion. The architecture of Appwrite Cloud distinguishes between "regions" and "edges" in its infrastructure design. According to Appwrite's technical documentation, regions are where core data and services reside - including databases, authentication systems, functions, messaging, and storage. Regions serve as the source of truth for applications, handling heavy workloads and ensuring data remains compliant with local regulations. Edges, by contrast, are distributed locations that process requests closer to end users through smart geo-routing, reducing latency by handling compute tasks at the nearest edge location. Each region also functions as an edge for other regions, creating an interconnected network that enhances coverage and reduces latency globally. All Appwrite Cloud projects are served by Appwrite's built-in Content Delivery Network (CDN), which leverages strategically positioned Points of Presence (PoPs) to cache and deliver content from locations nearest to users. According to Appwrite's documentation, this CDN architecture ensures sub-50 millisecond ping times around the globe and includes integrated DDoS protection that filters threats in real-time. This represents a significant infrastructure investment for a relatively young platform, signaling Appwrite's long-term commitment to competing with established backend service providers. From a data processing perspective, the distinction between self-hosted and cloud deployments has important privacy implications. When developers self-host Appwrite on their own infrastructure, they act as both the data controller and maintain complete control over all data processing activities. They are responsible for their own GDPR compliance, data security, infrastructure management, and user data handling. When developers use Appwrite Cloud, however, the relationship becomes more complex: developers remain the data controllers for their application users' data, while Appwrite acts as a data processor handling data according to the developer's instructions and configuration. According to Appwrite's GDPR compliance documentation published in January 2024 and updated subsequently, Appwrite Cloud has implemented comprehensive measures to achieve compliance with the European General Data Protection Regulation. This includes providing users with access to their personal information including the right to correct and delete it, imposing the same rules upon subprocessors who assist in providing Appwrite's services, implementing robust security measures including encryption and access controls, and providing Data Processing Agreements (DPAs) that developers can execute through their organization settings in the Appwrite console. Appwrite has also achieved additional compliance certifications relevant to regulated industries. According to announcements in April 2024, Appwrite became HIPAA compliant, allowing developers building healthcare applications to use Appwrite for storing and processing protected health information (PHI) when appropriate business associate agreements are in place. The platform is also SOC 2 Type I certified as of April 2024, demonstrating compliance with security, availability, processing integrity, confidentiality, and privacy criteria. Additionally, Appwrite has implemented measures for CCPA compliance to protect consumer privacy under California law. It is important to note that while Appwrite provides a compliant platform, the responsibility for overall application compliance remains with developers. According to Appwrite's HIPAA documentation, while Appwrite Cloud serves as a HIPAA-compliant platform to handle data, developers must ensure their applications are also compliant with HIPAA regulations. This principle extends to all privacy regulations: Appwrite provides tools and infrastructure that support compliance, but developers must configure them correctly, implement proper consent mechanisms, maintain appropriate privacy policies, and fulfill their obligations as data controllers.

Firebase

Firebase is Google-owned application development platform acquired in 2014 providing backend-as-a-service infrastructure including real-time databases, authentication, cloud storage, hosting, cloud functions, analytics, crash reporting, performance monitoring, and machine learning capabilities. Operating as comprehensive mobile and web application development ecosystem, Firebase serves millions of developers worldwide from independent developers to Fortune 500 companies. Operating under clear controller-processor distinction, Firebase (Google) acts as data processor under GDPR and service provider under CCPA/CPRA for customer personal data while customers act as data controllers (GDPR) or businesses (CCPA/CPRA) for end-user data processed through Firebase services meaning customers retain control and responsibility for fulfilling data subject rights. For Firebase Service Data (metadata about customer usage, service operations, feature adoption), Firebase acts as independent controller processing per Google Privacy Policy. Data Processing and Security Terms incorporated into Firebase Terms of Service establish processor obligations including European Commission Standard Contractual Clauses for GDPR-compliant international transfers. Google LLC certified under EU-US Data Privacy Framework including UK Extension and Swiss-US DPF providing adequacy for transatlantic transfers with SCCs as additional safeguard. Infrastructure varies significantly by service—critical limitation is Firebase Authentication operates exclusively from US data centers with no EU or regional deployment options as of May 2026 creating substantial GDPR compliance challenges for EU developers (regionalized Firebase Auth expected preview end of 2025 but not yet available; pass-through authentication from external IDP available early access where Firebase does not store user records). Cloud Firestore, Realtime Database, Cloud Storage, and Cloud Functions support regional and multi-regional deployments across 40+ Google Cloud Platform locations including dedicated EU regions (eur3 multi-region spanning Belgium and Netherlands, plus regional options across Europe). Pricing structure includes generous Spark Plan free tier (10,000 Firebase Authentication verifications monthly, 1GB Cloud Storage, 20,000 Realtime Database connections, 50,000 Firestore reads, unlimited Analytics and Cloud Messaging) and Blaze Plan pay-as-you-go for scaling applications. Compliance certifications include ISO 27001/27017/27018 for information security and cloud privacy, SOC 1/2/3 for security and availability controls, certifications accessible via Compliance Reports Manager for services governed by Google Cloud Platform Terms. Business model based on service usage fees not selling customer data. Platform services include Firebase Authentication (email/password, phone, social providers Google/Facebook/Apple/GitHub/Twitter, anonymous auth, custom auth with JWT, multi-factor authentication, identity platform features), Cloud Firestore (NoSQL document database with real-time synchronization, offline support, automatic multi-region replication, ACID transactions, rich queries), Realtime Database (JSON tree structure with real-time sync, offline capabilities, declarative security rules), Cloud Storage for Firebase (object storage for user-generated content like photos and videos, integration with Google Cloud Storage), Cloud Functions (serverless compute triggered by Firebase events, HTTPS requests, scheduled jobs), Firebase Hosting (production-grade web hosting with CDN, SSL certificates, one-command deploys), Firebase Analytics (unlimited event tracking, audience segmentation, conversion funnels integrated with Google Analytics 4), Cloud Messaging (cross-platform notifications to iOS, Android, web), Crashlytics (real-time crash reporting and analytics), Performance Monitoring (app performance insights), Remote Config (dynamic configuration without app updates), A/B Testing (experiment framework), App Distribution (beta testing distribution), ML Kit (on-device machine learning), and Extensions (pre-packaged solutions for common use cases). Data collected varies by service but Firebase Service Data includes project configurations, API usage patterns, feature adoption, performance metrics, error logs, and aggregate analytics used by Google to improve Firebase and potentially other Google services (configurable via Firebase data privacy settings). Technical and organizational measures include encryption in transit and at rest, access controls via Firebase Security Rules and IAM, DDoS protection, security monitoring, incident response procedures, and compliance with Google Cloud security infrastructure standards.

Supabase

Information will be available shortly.

PocketBase

Information will be available shortly.

MongoDB Atlas

Information will be available shortly.

PlanetScale

Information will be available shortly.

Upstash

Information will be available shortly.

Pinecone

Information will be available shortly.

SendGrid

Information will be available shortly.

Postmark

Information will be available shortly.

Resend

Information will be available shortly.

Mailgun

Information will be available shortly.

Amazon SES

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending and receiving service designed for businesses, developers, and digital marketers who need reliable, scalable email delivery infrastructure. As part of Amazon Web Services (AWS), Amazon SES provides the technical capabilities to send transactional emails, marketing campaigns, and automated notifications without the operational overhead of maintaining dedicated email servers or managing complex email infrastructure. According to AWS documentation, Amazon SES was designed to help businesses solve email deliverability challenges, meet strict anti-spam regulations, and scale email communications from dozens to millions of messages per day. The service operates on AWS's global infrastructure, leveraging the same security, reliability, and compliance frameworks that power AWS's entire cloud ecosystem. Amazon SES is available in 27 AWS Regions globally as of 2026, providing developers with geographic flexibility for data residency, latency optimization, and compliance with local regulations. From an architectural perspective, Amazon SES operates as a managed service within the AWS cloud. According to technical documentation, when developers use Amazon SES, they interact with the service through multiple interfaces including an HTTP API for programmatic email sending with full access to AWS SDK features and advanced functionality, an SMTP interface for applications and email clients that require standard SMTP protocol support, and the AWS Management Console for configuration, monitoring, and management tasks through a web-based interface. The email sending process in Amazon SES involves several stages. According to service documentation, when developers send an email through SES, the service accepts the message content including sender address, recipient addresses, subject line, message body (plain text and/or HTML), attachments, and custom headers, validates the request against account quotas, sender verification status, and content policies, processes the message by applying DKIM signatures for authentication and SPF records for sender verification, routes the message through appropriate IP addresses (shared IP pools or dedicated IPs depending on account configuration), delivers to recipient mail servers using SMTP protocol with opportunistic or required TLS encryption, and provides feedback through bounce notifications, complaint notifications, and delivery status tracking. A critical aspect of Amazon SES architecture is its integration with the broader AWS ecosystem. According to AWS privacy documentation, Amazon SES inherently involves data transfer as an essential function of the service - when you send messages via Amazon SES to recipients, the content of those messages is transferred to the locations of the recipients globally. This distinguishes SES from many other AWS services where customer data typically remains within the selected AWS Region unless explicitly configured otherwise. Amazon SES provides both sending and receiving capabilities. According to service documentation, for sending, developers can transmit transactional emails (password resets, order confirmations, account notifications), marketing emails (newsletters, promotional campaigns, product announcements), and automated notifications (monitoring alerts, system notifications, workflow triggers). For receiving, Amazon SES can accept inbound email directed to verified domains, route received email to AWS services including Amazon S3 for storage, AWS Lambda for serverless processing, or Amazon SNS for notification distribution, and apply rule sets for filtering, spam detection, and content processing. From a data processing perspective, the relationship between developers and Amazon SES follows AWS's standard customer-processor model. According to AWS's Data Processing Addendum and privacy documentation, developers using Amazon SES are data controllers who determine the purposes and means of processing personal data (email addresses, message content, recipient information). Amazon Web Services acts as a data processor, processing customer data solely according to customer instructions as implemented through API calls, console configurations, and service usage. This controller-processor relationship has significant implications for privacy compliance responsibilities, which will be detailed in subsequent sections. Amazon SES provides advanced deliverability features that affect how email data is processed. According to technical documentation, the service offers sender reputation monitoring through reputation dashboard, bounce and complaint metrics, and deliverability insights, dedicated IP addresses for customers needing consistent sender identity and full control over IP reputation, configuration sets for organizing email sending into logical groups with separate tracking and analytics, email templates for reusable message structures, sending authorization for allowing verified identities to send on behalf of other accounts, and suppression lists for automatically preventing emails to addresses that have bounced or complained. Compliance certifications and audit reports are available for Amazon SES as part of AWS's comprehensive compliance program. According to AWS compliance documentation, Amazon SES is covered under HIPAA eligibility (when appropriate Business Associate Agreement is in place), SOC 1, SOC 2, and SOC 3 reports (independent attestation of AWS controls), ISO 27001, ISO 27017, and ISO 27018 certifications (information security management and cloud privacy), PCI DSS compliance (payment card industry data security standards), and GDPR readiness including Data Processing Addendum and Standard Contractual Clauses. A defining characteristic of Amazon SES compared to specialized email service providers is its infrastructure-focused approach. According to product positioning, Amazon SES provides the underlying email delivery infrastructure with monitoring, reputation management, and compliance features, but does not include built-in campaign management interfaces, visual email builders, subscriber list management tools, or marketing automation workflows. Most serious users of Amazon SES for marketing purposes combine it with external software platforms or custom applications that provide these higher-level features while leveraging SES for reliable, cost-effective delivery. Pricing for Amazon SES reflects this infrastructure-oriented positioning. According to AWS pricing documentation for 2026, the service charges primarily based on usage including per-email costs ($0.10 per 1,000 emails sent), attachment fees (additional $0.12 per GB for data transfer), optional dedicated IP addresses (separate monthly fees per IP), and receiving costs ($0.10 per 1,000 emails received plus storage fees for rule-based actions). Notably, emails sent from Amazon EC2 instances receive an allocation of free outbound emails monthly, making SES particularly cost-effective for applications already running on AWS infrastructure. The geographic availability of Amazon SES has significant implications for data residency and compliance. According to AWS regional documentation updated through June 2025, Amazon SES sending capabilities are available in US East (N. Virginia, Ohio), US West (N. California, Oregon), AWS GovCloud (US-West, US-East), Asia Pacific (Mumbai, Hyderabad, Sydney, Singapore, Seoul, Tokyo, Jakarta, Osaka), Canada (Central), Europe (Ireland, Frankfurt, London, Paris, Stockholm, Milan, Zurich), Israel (Tel Aviv), Middle East (Bahrain, UAE), South America (São Paulo), Africa (Cape Town), and Asia Pacific (Malaysia). Email receiving capabilities are available in a subset of these regions including US East (N. Virginia, Ohio), Europe (Ireland, Frankfurt, London), Asia Pacific (Sydney, Tokyo, Singapore), and Canada (Central). According to technical documentation, features and availability differ slightly across regions. Some regions support only email sending, while others support both sending and receiving. SMTP endpoints are not available in all regions (specifically not in Africa Cape Town, Asia Pacific Hyderabad/Jakarta/Malaysia, Europe Milan/Zurich, Israel Tel Aviv, Middle East Bahrain/UAE, or Canada West Calgary). Verification of email addresses and domains is region-specific, meaning verification in one region does not apply to other regions. Account quotas, sandbox status, and sending limits are managed separately per region.

Mailchimp

Information will be available shortly.

Beehiiv

Beehiiv Inc. is newsletter and email marketing platform headquartered in United States, enabling creators and businesses to build, grow, and monetize email lists through comprehensive publishing infrastructure. Operating under clear controller-processor distinction, Beehiiv acts as data processor for subscriber data (email list members, readers, website visitors) processed on behalf of customers who are controllers, while serving as controller for account information (customer registration, billing, platform usage data). Data Processing Addendum automatically incorporated in Terms of Use establishes processor obligations including Standard Contractual Clauses for international transfers. Core infrastructure hosted on Amazon Web Services (AWS) in United States regions with encryption at rest and in transit. Email delivery powered by Twilio SendGrid partnership that sent 4.35 billion emails with 1,147% year-over-year growth and achieved 52% increase in deliverability rate through SendGrid Engagement Quality Score implementation. Payment processing exclusively through Stripe with no platform fees beyond Stripe's standard 2.9% + $0.30 transaction costs. Analytics infrastructure includes Google Analytics 4, Microsoft Clarity for session recording and heat mapping, and MixPanel for product analytics. Hosting and CDN provided by Cloudflare for security and content delivery. Acceptable Use Policy mandates affirmative consent for email sending, explicitly prohibits purchased/scraped email lists, and requires compliance with CAN-SPAM (US), CASL (Canada), GDPR (EU), ePrivacy (EU), and CCPA (California). Privacy Policy last modified April 30, 2026, distinguishes between customer content processing (where customer privacy policies apply) and beehiiv's own processing (for security, fraud prevention, legal compliance, platform operations). No EU data residency options available—all subscriber data stored in US-based AWS regions. Beehiiv adheres to GDPR requirements through SCCs, implements technical and organizational security measures, provides data subject rights fulfillment mechanisms, and offers comprehensive unsubscribe management tools. Customers responsible for obtaining necessary consents from subscribers, providing privacy notices, implementing GDPR compliance measures, and maintaining legal requirements for data collection and use in relevant jurisdictions.

Kit (formerly ConvertKit)

Kit (rebranded from ConvertKit in October 2024) is creator-focused email marketing platform headquartered in Boise, Idaho enabling professional bloggers, podcasters, YouTubers, course creators, and online entrepreneurs to grow audiences through email marketing automation. Platform serves 600,000+ creators sending 2.5+ billion emails monthly. Operating under clear controller-processor distinction, Kit acts as data processor for subscriber data (individuals subscribing to creator newsletters) while creators maintain controller role determining newsletter content, sending frequency, and subscriber management. For creator account information, Kit acts as independent controller. Data Processing Addendum automatically incorporated into Privacy Policy establishes processor obligations including European Commission Standard Contractual Clauses (Decision 2021/914) and UK International Data Transfer Agreement for GDPR-compliant international transfers. Kit certified under EU-US Data Privacy Framework including UK Extension and Swiss-US DPF providing adequacy for transatlantic personal data transfers with SCCs as primary mechanism. Infrastructure processing occurs globally with creators worldwide though specific data center locations not publicly disclosed beyond US headquarters operations. Pricing structure includes generous free Newsletter plan supporting 10,000 subscribers with unlimited emails, unlimited landing pages, unlimited opt-in forms, and one automated sequence—most generous free tier in email marketing industry according to independent reviews. Paid Creator plan starts $39/month for 1,000 subscribers (September 2025 price increase from $15/month representing 160% increase). Creator Pro and Enterprise tiers offer advanced features including deliverability reporting, advanced automations, and priority support. Platform features include visual automation builder enabling complex email sequences, tag-based subscriber management for segmentation, customizable landing pages and opt-in forms with 50+ templates, Creator Commerce for selling digital products and paid subscriptions, Creator Network enabling audience growth through recommendations, subscriber import/export with CSV support, GDPR compliance tools (consent management, EU subscriber filtering, data deletion, custom unsubscribe pages), integration ecosystem (Shopify, WordPress, Stripe for payments, Zapier, webhooks for custom integrations), and email deliverability infrastructure with SPF/DKIM/DMARC authentication. Business model based on creator subscriptions not selling personal data. Kit never sells, rents, or leases personal information according to explicit commitment. Compliance certifications not comprehensively disclosed though DPA references appropriate technical and organizational measures. Subprocessor list not publicly maintained—creators requiring detailed subprocessor documentation should request via support channels. Technical and organizational measures include encryption for data in transit and at rest, access controls, incident response procedures, and compliance with applicable email marketing regulations (CAN-SPAM Act, CASL, GDPR, CCPA).

Twilio

Information will be available shortly.

MessageBird

Information will be available shortly.

Vonage

Information will be available shortly.

OneSignal

Information will be available shortly.

Pusher

Information will be available shortly.

OpenAI

Information will be available shortly.

Anthropic

Anthropic provides Claude, a family of large language models available through multiple deployment options with fundamentally different privacy characteristics. For developers, the Claude API under Commercial Terms offers industry-leading privacy protections including 7-day log retention (shortest in the industry), zero use of customer data for model training, and optional Zero Data Retention for maximum privacy. Critical distinction: Consumer products (Free/Pro/Max) introduced opt-in model training with 5-year retention in September 2025 and are inappropriate for application development. Commercial Products and API explicitly prohibit training, include Data Processing Addendum with Standard Contractual Clauses, and provide contractual protections required for GDPR compliance. Data residency guaranteed only through third-party platforms (Google Vertex AI EU regions, AWS Bedrock EU profiles) as direct API cannot guarantee EU-only processing. Recent developments include January 2026 Microsoft integration as subprocessor (excluded from EU Data Boundary) and March 2026 subprocessor additions (Palantir, AWS GovCloud, GCP Vertex AI) for government/defense deployments. Compliance certifications include SOC 2 Type II, ISO 27001/42001, FedRAMP High, and HIPAA eligibility with BAA.

Google Gemini

Information will be available shortly.

Groq

Information will be available shortly.

Mistral AI

Information will be available shortly.

LangChain

Information will be available shortly.

ElevenLabs

ElevenLabs (Eleven Labs Inc. and affiliates including Eleven Labs Ltd., Eleven Labs Poland sp. z o.o., and Eleven Labs Japan Godo Kaisha) is AI voice technology company headquartered in New York providing text-to-speech, voice cloning, speech-to-speech translation, dubbing, sound effects, and conversational AI services. Founded in 2022, company raised $500 million at $11 billion valuation (February 2026) with 300+ employees serving enterprise customers including 41% of Fortune 500 companies. Platform generates 600 hours of audio for every hour in real time across 70+ languages processing 2.5+ billion characters monthly. Operating under controller-processor distinction, ElevenLabs acts as data processor for customer end-user data (voice recordings uploaded for cloning, generated audio, API usage data) while customers maintain controller role determining processing purposes. For customer account information, ElevenLabs acts as independent controller. Data Processing Addendum updated April 8, 2026 automatically incorporated into service agreements establishes processor obligations including European Commission Standard Contractual Clauses (Decision 2021/914) for GDPR-compliant international transfers. ElevenLabs certified under EU-US Data Privacy Framework including Swiss-US DPF providing adequacy for transatlantic personal data transfers with SCCs as additional safeguard. Infrastructure hosted primarily on Google Cloud Platform utilizing Google Kubernetes Engine with NVIDIA GPU acceleration (H100, upcoming Blackwell B200 GPUs) deployed across Google Cloud regions worldwide. EU data residency option available enabling customers to select European data centers for primary processing addressing GDPR Article 45-46 requirements. Voice data explicitly recognized as biometric data under applicable data protection laws requiring special category processing under GDPR Article 9. Zero Retention Mode available on higher API tiers enabling immediate deletion of customer voice recordings and generated audio after processing. Platform features include instant voice cloning from 30 seconds of audio, professional voice cloning with longer samples for enterprise quality, voice library with thousands of pre-made voices, voice design for creating unique synthetic voices, multilingual speech synthesis across 70+ languages, dubbing and translation preserving original speaker voice characteristics, sound effects generation, music generation, conversational AI agents (ElevenAgents), and Projects workflow for organizing long-form content. Pricing structure spans free tier (10,000 characters monthly), Starter ($5/month, 30,000 characters), Creator ($22/month, 100,000 characters), Pro ($99/month, 500,000 characters), Scale ($330/month, 2 million characters), to Enterprise custom pricing with dedicated support. Business model based on subscription tiers and API usage not selling personal data. Compliance certifications include EU-US DPF, SOC 2 Type II (in progress according to typical SaaS maturity), and EU AI Act Article 50 transparency requirements for AI-generated content. Subprocessor list not comprehensively disclosed publicly—Google Cloud Platform confirmed as primary infrastructure provider. Technical and organizational measures include encryption in transit and at rest, access controls with multi-factor authentication, zero-trust architecture, GPU-isolated processing for voice model inference, and incident response procedures.

Hugging Face

Information will be available shortly.

AWS S3

Amazon Simple Storage Service (S3) is object storage infrastructure provided by Amazon Web Services, operating under shared responsibility model where AWS manages security of underlying infrastructure while customers control their data, encryption, access policies, and compliance configuration. As processor, AWS does not access, use, or disclose customer content except as necessary to provide services, prevent fraud/abuse, or comply with law. Data Processing Addendum automatically incorporated in AWS Service Terms with Standard Contractual Clauses for GDPR compliance. Customers select specific AWS Region(s) for data storage with guarantee that data remains in chosen region unless customer initiates transfer. Comprehensive global infrastructure spans 33+ AWS Regions globally with hundreds of Availability Zones. Encryption options include server-side encryption with S3-managed keys (SSE-S3, default since January 2023), AWS KMS-managed keys (SSE-KMS), or customer-provided keys (SSE-C, being disabled by default April 2026). Client-side encryption available for customers managing own encryption process. No data movement across regions without customer action. Subprocessors vary by region and services used, listed at aws.amazon.com/compliance/sub-processors with 30-day advance notice for changes. Compliance certifications include SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, FedRAMP (multiple levels), HIPAA eligibility, GDPR readiness. Block Public Access enabled by default for all new buckets since 2023. Access control via IAM policies, bucket policies, Access Control Lists (ACLs disabled by default since 2023), and query string authentication. Amazon Macie available for automated sensitive data discovery and protection. Customer maintains complete control over content, encryption keys, access permissions, and geographic storage location.

Google Cloud Storage

Information will be available shortly.

Cloudflare R2

Cloudflare R2 is S3-compatible object storage service built on Cloudflare's global network, enabling developers to store unstructured data without egress bandwidth fees that characterize traditional cloud storage providers. Operating under Cloudflare Inc.'s privacy framework with headquarters in San Francisco, R2 provides object storage integrated with Cloudflare's security, performance, and reliability infrastructure spanning 300+ cities worldwide. Data Processing Addendum automatically incorporated in service agreements establishes Cloudflare as data processor for customer content (objects stored in R2 buckets) while customers maintain role as data controllers. DPA includes European Commission Standard Contractual Clauses (Decision 2021/914) for GDPR-compliant international transfers, with 30-day advance notice before engaging new subprocessors via publicly maintained list at cloudflare.com/gdpr/subprocessors. Cloudflare certified under EU-US Data Privacy Framework providing adequacy for transatlantic transfers with SCCs as fallback mechanism. Regional data residency options include Location Hints (optional parameters indicating primary geographic location for data access) and Jurisdictional Restrictions (guarantee objects stored within specific jurisdiction for compliance with GDPR, FedRAMP, or other data sovereignty requirements). Available jurisdictions: EU (European Union), FedRAMP (US government, Enterprise customers only). Jurisdiction cannot be changed after bucket creation. Local Uploads feature optimizes cross-region upload performance by writing object data to storage location close to client, then asynchronously copying to bucket region—not available for jurisdiction-restricted buckets. All objects encrypted at rest using AES-256 with GCM (Galois/Counter Mode), encryption keys managed by Cloudflare in internal key management systems, automatic encryption requiring no user configuration. Encryption in transit via TLS/SSL supported on all domains with option to disable plaintext HTTP through Always Use HTTPS on custom domains. R2 architecture includes R2 Gateway (entry point for API requests deployed across global network via Cloudflare Workers), Metadata Service (distributed layer on Durable Objects for strong consistency), Tiered Read Cache (Cloudflare Tiered Cache serving data closer to clients), Distributed Storage Infrastructure (persistent encrypted object storage). Strongly consistent with 99.999999999% (eleven 9's) annual durability—storing 1,000,000 objects, expect to lose one every 100,000 years. Zero egress fees distinguish R2 from AWS S3, Google Cloud Storage, Azure Blob where data retrieval incurs substantial costs. Compliance certifications include ISO 27001 (annual audits of Information Security Management System), SOC 2 Type II (AICPA audits covering security, availability, confidentiality), PCI DSS Level 1, with formal Privacy Information Management System (PIMS) protecting policies and procedures. Cloudflare does not sell, rent, or share personal data processed on behalf of customers including as 'sell' or 'share' defined in CCPA. HIPAA-aligned procedures consistent with security requirements though HHS does not recognize certification. Subprocessor list publicly maintained with RSS feed subscription for change notifications. Technical and organizational measures regularly tested by external auditors and internal audits, with mandatory multi-factor authentication using physical hard tokens, zero-trust identification model, and principle of least privilege access controls.

Cloudinary

Cloudinary Ltd. is cloud-based media management platform providing image and video optimization solutions for websites and mobile applications, headquartered with operations spanning globally. Operating under clear controller-processor distinction, Cloudinary acts as data processor for Customer Data (media assets uploaded to platform, transformation configurations, delivery metadata) while customers maintain controller role determining purposes and means of processing. Data Processing Addendum automatically incorporated for subscription customers establishes processor obligations including European Commission Standard Contractual Clauses (old Directive 95/46/EC clauses and new Decision 2021/914 SCCs) for GDPR-compliant international transfers. Cloudinary certified under EU-US Data Privacy Framework including UK Extension and Swiss-US DPF providing adequacy for transatlantic personal data transfers. Platform hosted on multi-tenant logically-separated AWS cloud infrastructure with 75,000+ active customers, built as AWS Advanced Technology Partner passing annual Well-Architected Framework audits. Infrastructure spans AWS regions worldwide with Enterprise customers receiving ability to choose EEA data storage location. Standard customers utilize US-based AWS infrastructure unless Enterprise plan enables regional selection. IP address masking feature available upon request to support privacy compliance—masks and encrypts source IP addresses for CDN delivery requests with last IPv4 octet and last 3 IPv6 octets nullified, original IP kept encrypted expiring after one calendar day. All data encrypted in transit and at rest including AWS backups. Remote access requires VPN tunnels or secure encrypted connections with multi-factor authentication. Passwords stored as secure hash never in plaintext, with Enterprise plans supporting SSO enabling customers to enforce own password policies. Compliance certifications include ISO/IEC 27001 (since 2015, third-party audited information security framework), SOC 2 (Security, Availability, Privacy, Confidentiality, HIPAA Security Rule coverage via Deloitte examination reports), ISO 14001 (environmental management), Cloud Security Alliance CAIQ questionnaire completed, AWS APN Advanced Technology Partner designation. Business model based on paid usage not selling personal data. Platform handles over 20 billion requests daily generating event logs processed into petabytes of data monthly stored on Amazon S3. Geographic isolation with regional redundant data centers, 99.9% uptime commitment measured by third-party real-time monitoring, 24x7x365 incident coverage, tested backup and disaster recovery processes audited annually. Security features include access controls, single sign-on, multi-factor authentication, strict access pattern enforcement, Bug Bounty Program with globally crowdsourced vulnerability detection, annual third-party penetration testing. Subprocessor list publicly maintained at cloudinary.com/trust/subprocessors updated regularly (last update February 3, 2025), customers may object to new subprocessors per DPA process. Technical and organizational measures include quarterly user privilege reviews, password policies with minimum length/complexity/periodic resets, VPN-only remote access, encrypted communication sessions, tested backups in close time proximity to data ingestion.

Vercel

Information will be available shortly.

Netlify

Information will be available shortly.

Railway

Information will be available shortly.

Sentry

Information will be available shortly.

Google AdMob

Information will be available shortly.