β Back to Privacy Policy
Sub-Processors
Last updated:
HumanKey uses the following third-party sub-processors to provide its services. All sub-processors are bound by Data Processing Agreements (DPAs) and process personal data only as instructed. Where data is transferred outside the EEA, Standard Contractual Clauses (SCCs) per GDPR Chapter V are in place.
| Processor | Purpose | Data Location | Transfer Mechanism | DPA |
|---|---|---|---|---|
| Railway | API server hosting & compute | π³π± EU (Netherlands β Amsterdam) | EU β no transfer | View DPA |
| Neon | Database hosting | π©πͺ EU (Germany β Frankfurt) | EU β no transfer | View DPA |
| Vercel | Frontend hosting & CDN | π©πͺ EU (Germany) + πΊπΈ US (SCCs) | Standard Contractual Clauses (SCCs) | View DPA |
| Cloudflare | DNS, DDoS protection, CDN | πΊπΈ US + global edge network | Standard Contractual Clauses (SCCs) | View DPA |
| Stripe | Payment processing & subscription billing | πΊπΈ US (SCCs) | Standard Contractual Clauses (SCCs) | View DPA |
| Resend | Transactional email (verification, password reset) | πΊπΈ US (SCCs) | Standard Contractual Clauses (SCCs) | View DPA |
| Sentry | Error tracking β no PII transmitted (stripped before transmission) | π©πͺ EU (Germany β Sentry EU region) | EU β no transfer | View DPA |
| MaxMind | IP geolocation database β local file download only, no visitor data transferred | πΊπΈ Waltham, MA, USA | No data transfer (local processing) | View DPA |
| Cloudflare Radar | ASN metadata enrichment via public API β only ASN number queried, no PII transmitted | πΊπΈ US (Cloudflare global network) | No personal data transfer (public API) | View DPA |
| Anthropic, PBC | AI-powered advisory analytics and chatbot assistance β only aggregated statistics and user chat text transmitted, no visitor data or PII | πΊπΈ San Francisco, CA, USA | No personal data transfer (aggregated statistics only) | View DPA |
GDPR Compliance
- All EU-based processors are covered under GDPR directly β no transfer mechanism needed.
- US-based processors (Vercel, Cloudflare, Stripe, Resend) have executed EU Standard Contractual Clauses (SCCs) per GDPR Chapter V.
- Sentry operates in EU region (Germany) β no international transfer occurs.
- PII is minimized before transmission to all processors β Sentry receives no email addresses or IP addresses.
We will update this page when sub-processors are added, removed, or changed. Significant changes will be communicated via email to account holders with active subscriptions. This page was last updated on 2026-04-06.