Subprocessors
Last updated: May 27, 2026
We use the following subprocessors to run the porthatch products. New subprocessors get announced at least 30 days before they take effect; email privacy@porthatch.app to subscribe to those notices.
Infrastructure
| Subprocessor | Purpose | Data location | Privacy policy |
|---|---|---|---|
| Cloudflare | Workers runtime, edge routing, KV cache, Queues, Workflows, R2 (Placet uploads, Sluice CSVs) | Global edge; primary region your account is provisioned in | cloudflare.com/privacy |
| Neon | Managed Postgres for account, workspace, audit, and product metadata | Region your Neon project is provisioned in (US-East / EU-West by default) | neon.tech/privacy |
Billing
| Subprocessor | Purpose | Data location | Privacy policy |
|---|---|---|---|
| Stripe | Subscription billing, card processing, customer portal. We do not see card numbers — they go directly from your browser to Stripe. | US + EU (Stripe's standard segregation) | stripe.com/privacy |
Communications
| Subprocessor | Purpose | Data location | Privacy policy |
|---|---|---|---|
| Resend | Transactional email delivery: magic-link sign-in, payment-failed notices, trial reminders, subscription cancellation | US | resend.com/legal/privacy |
Observability
| Subprocessor | Purpose | Data location | Privacy policy |
|---|---|---|---|
| Sentry | Application error tracking. Stack traces, request context. No PII in events by configuration — emails get scrubbed at the SDK level. | US or EU (Sentry's regional choice) | sentry.io/privacy |
| Axiom | Structured logs and metrics. Request ids, route, status, latency. No PII. | US | axiom.co/privacy |
Product-specific (only relevant if you use that product)
| Subprocessor | Used by | Purpose | Privacy policy |
|---|---|---|---|
| Notion | Cordon | Database proxy — your Notion content stays in Notion; we hold only an integration token and a proxy audit | notion.so/notion/Privacy-Policy |
| Airtable | Veneer | Base proxy — your Airtable content stays in Airtable; we hold only a Personal Access Token (encrypted at rest) and a proxy audit | airtable.com/privacy |
| EmailListVerify | Sluice "deep" tier | Third-party SMTP probe for email validation. Activated only on the deep tier; standard tier doesn't reach an external vendor. | emaillistverify.com/privacy |
How we vet new subprocessors
Before adding a new subprocessor we check:
- Public privacy policy + DPA terms compatible with our customers' GDPR posture
- Compliance certifications (SOC2 Type II, ISO 27001) where applicable
- Encryption-in-transit + encryption-at-rest defaults
- Sub-processor list (so we don't add a subprocessor that fans out to another we haven't vetted)
How to object
If a new subprocessor is incompatible with your compliance posture, email privacy@porthatch.app within 30 days of the notice. You can exit the service with a pro-rated refund of the remaining billing period; we'll help you export your data first.