Sub-Processors

Last updated: 2026-04-20

This register discloses every third-party processor HumanKey engages to deliver its service. For each vendor we publish: legal entity, jurisdiction, processing purpose, data categories, retention, transfer mechanism under Chapter V of the GDPR, Data Processing Addendum link, the vendor's own sub-processor list (per Art. 28(4) of the GDPR), date of last review, security certifications, and — for AI vendors — the relevant AI Act classification.

Data-subject requests: use the /contact form (Privacy & GDPR department) or email privacy@humankey.io.

Railway Corp.

Railway · Infrastructure

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). EEA workloads hosted in Netherlands (GCP europe-west4).
Registered address: 548 Market St, PMB 20429, San Francisco, CA 94104, USA
Processing purpose: Application compute and request routing for the HumanKey API.
Data categories transferred: Request metadata (URL path, timestamp, status), pseudonymised identifiers, transient inbound payloads during processing. Raw IP addresses are NOT persisted in our application data — all stored IPs are hashed via SHA-256 + daily salt before write. A narrow exception applies to short-lived rate-limit buckets in Railway-managed Redis: the canonical express-rate-limit middleware retains an IPv6-normalised raw IP as a Redis key with a TTL equal to the limiter window (≤15 minutes), purely as an anti-abuse control. No raw IPs in persistent logs, analytics, or audit trails.
Retention: Compute layer: transient — processed in memory; no persistent storage by Railway. Managed Redis (rate-limit buckets only): keys auto-expire at TTL ≤15 min via Redis EXPIRE — no operator action required.
Transfer mechanism (GDPR Art. 46): EU data residency (GCP Netherlands) for production workload; Standard Contractual Clauses 2021/914 Module 2 cover control-plane access from US.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type II

Neon, Inc.

Neon · Infrastructure

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). EEA database stored in Germany (AWS eu-central-1 Frankfurt).
Registered address: 209 Havemeyer St, Floor 1, Brooklyn, NY 11211, USA
Processing purpose: Managed PostgreSQL hosting for account data, site configuration, and analytics aggregates.
Data categories transferred: Account records (email, hashed password, account settings), site configuration, pseudonymised visit records, aggregated counts.
Retention: Stored per HumanKey retention policy (7–365 days by plan tier); backup snapshots held ≤7 days by Neon.
Transfer mechanism (GDPR Art. 46): EU data residency (AWS Frankfurt) for production database; Standard Contractual Clauses 2021/914 Module 2 cover control-plane access from US.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001

Vercel Inc.

Vercel · Infrastructure

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). Static and server-rendered frontend served from global edge network; EU workloads pinned to Frankfurt region.
Registered address: 440 N Barranca Ave #4133, Covina, CA 91723, USA
Processing purpose: Frontend hosting, edge routing, and CDN delivery for humankey.io.
Data categories transferred: HTTP request metadata (URL, User-Agent, referrer, truncated IP for DDoS defence), static asset delivery logs. No account data persisted.
Retention: Edge logs ≤30 days per Vercel log policy; no long-term storage of personal data by Vercel.
Transfer mechanism (GDPR Art. 46): Standard Contractual Clauses 2021/914 Module 2; EU-US Data Privacy Framework participation.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001

Cloudflare, Inc.

Cloudflare · Infrastructure

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). Traffic proxied through Cloudflare global edge; EU traffic routed via EU points of presence where available.
Registered address: 101 Townsend Street, San Francisco, CA 94107, USA
Processing purpose: DNS resolution, DDoS protection, WAF, and CDN caching for humankey.io and api.humankey.io.
Data categories transferred: Request metadata (URL, User-Agent, referrer), transient IP addresses for DDoS defence. No long-term storage by HumanKey configuration.
Retention: Security logs retained per Cloudflare retention policy (see vendor link).
Transfer mechanism (GDPR Art. 46): Standard Contractual Clauses 2021/914 Module 2; EU-US Data Privacy Framework participation; Cloudflare EU Data Boundary controls.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001PCI DSSFedRAMP Moderate

Stripe Payments Europe, Limited (EEA flows) — with Stripe, Inc. (US, technology provider)

Stripe · Payments

Last reviewed 2026-04-20

Jurisdiction: Ireland (Stripe Payments Europe, Limited handles EEA payment flows); United States (Stripe, Inc. provides technology platform under SCCs).
Registered address: Stripe Payments Europe, Limited — 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Processing purpose: Payment processing, subscription billing, invoicing, and chargeback management.
Data categories transferred: Billing identity (name, billing address, NIP/VAT number when applicable), payment instrument metadata (card brand, last 4, expiry — full card number tokenised by Stripe), invoice history, subscription state.
Retention: Retained for legal and tax compliance purposes (≥7 years for tax records in EU); per Stripe retention policy.
Transfer mechanism (GDPR Art. 46): EEA payment processing under Stripe Payments Europe, Limited (Ireland — GDPR direct); technology platform access from US under Standard Contractual Clauses 2021/914 Module 2 + EU-US Data Privacy Framework.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: PCI DSS Level 1SOC 1 Type IISOC 2 Type IIISO 27001

Resend, Inc.

Resend · Email

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware).
Registered address: 2261 Market Street #4667, San Francisco, CA 94114, USA
Processing purpose: Transactional email delivery (account verification, password reset, billing receipts, team invites, support responses).
Data categories transferred: Recipient email address, email subject and body (assembled by HumanKey), delivery metadata (bounce, open, click events).
Retention: Delivery logs retained ≤30 days by Resend (see vendor policy). Message bodies not retained after successful delivery.
Transfer mechanism (GDPR Art. 46): Standard Contractual Clauses 2021/914 Module 2.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type II

Functional Software, Inc. d/b/a Sentry

Sentry · Monitoring

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). HumanKey tenant configured for EU region (Frankfurt) — errors ingested and stored in the EU.
Registered address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
Processing purpose: Application-error monitoring and diagnostic capture for the HumanKey API and dashboard.
Data categories transferred: Stack traces, runtime error context, release identifiers. Personal identifiers (email, IP, user-agent) are stripped client-side before transmission per HumanKey Sentry SDK configuration.
Retention: Error events retained per Sentry project settings (default ≤90 days on HumanKey plan).
Transfer mechanism (GDPR Art. 46): EU data residency (Sentry EU region, Frankfurt); no international transfer occurs. Standard Contractual Clauses 2021/914 Module 2 cover control-plane access from US.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001

MaxMind, Inc.

MaxMind · Geolocation (data-source import)

Last reviewed 2026-04-20

Jurisdiction: United States (Massachusetts).
Registered address: 51 Pleasant Street #1020, Malden, MA 02148, USA
Processing purpose: One-way geolocation database import. HumanKey downloads the GeoLite2 database file periodically; country-level lookups are performed locally. No visitor data is sent to MaxMind.
Data categories transferred: None transmitted. HumanKey only downloads the database file from MaxMind servers.
Retention: Not applicable — no personal data processed by MaxMind on HumanKey behalf.
Transfer mechanism (GDPR Art. 46): Not applicable — one-way file download; no personal data transfer to the vendor.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): Not applicable
Security certifications: SOC 2 Type II

Cloudflare, Inc. (Radar API)

Cloudflare Radar · Network metadata enrichment

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware). Public-API query only; no client IP is transmitted.
Registered address: 101 Townsend Street, San Francisco, CA 94107, USA
Processing purpose: Network-operator metadata lookup for aggregate benchmark reporting. Queries are keyed by autonomous-system number (ASN), resolved server-side from a pseudonymised visitor context.
Data categories transferred: ASN integer only (non-personal network identifier). No IP, User-Agent, session ID, or visitor identifier leaves HumanKey.
Retention: Not applicable — no personal data transmitted.
Transfer mechanism (GDPR Art. 46): Not applicable — public API query over non-personal ASN identifier.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001

Anthropic, PBC

Anthropic · AI / LLM inference

Last reviewed 2026-04-20

Jurisdiction: United States (Delaware public benefit corporation).
Registered address: 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
Processing purpose: Large-language-model inference powering: (a) the public AI Assistant chatbot, (b) automated audit summarisation, and (c) admin-only AI Insights advisory analytics. All responses are advisory; no automated decision under GDPR Art. 22.
Data categories transferred: User-submitted chat text (public chatbot) and system prompts assembled by HumanKey. No raw IP addresses, no payment data, no hashed session tokens, no database records beyond aggregated counts. Chat text may constitute personal data under GDPR Recital 26 where it contains personal identifiers introduced by the user.
Retention: Zero-retention flag enabled on all HumanKey API calls per Anthropic Commercial Terms. Inputs and outputs are not retained beyond the time necessary to generate the response and are not used to train Anthropic models.
Transfer mechanism (GDPR Art. 46): Standard Contractual Clauses 2021/914 Module 2 (processor-to-processor) per Anthropic Commercial Data Processing Addendum.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001ISO 42001
AI Act classification (Regulation (EU) 2024/1689): HumanKey acts as a deployer of the Claude Haiku model under AI Act Regulation (EU) 2024/1689 Art. 3(4). HumanKey is not a provider under Art. 3(3). Art. 50 transparency obligations are satisfied for the public chatbot surface (see /legal/ai-transparency).

Google Ireland Limited (EEA users) / Google LLC (US technology provider)

Google · Authentication (optional)

Last reviewed 2026-04-20

Jurisdiction: Ireland (Google Ireland Limited handles EEA OAuth flows per Google DPA). United States (Google LLC provides underlying platform under SCCs + EU-US DPF).
Registered address: Google Ireland Limited — Gordon House, Barrow Street, Dublin 4, Ireland
Processing purpose: OAuth 2.0 authentication when a user chooses Google as the sign-in method. Optional — only invoked at explicit user request.
Data categories transferred: Email address, basic profile (name, locale), OAuth token for the session. No password is transmitted to HumanKey.
Retention: HumanKey stores email + optional profile data in the user account until deletion; Google-side retention per Google DPA and user’s Google Account settings.
Transfer mechanism (GDPR Art. 46): EEA flows handled by Google Ireland Limited under GDPR direct; underlying platform access under Standard Contractual Clauses 2021/914 Module 2 + EU-US Data Privacy Framework.
Data Processing Addendum: View DPA →
Sub-processor chain (Art. 28(4)): See vendor's own sub-processor list →
Security certifications: SOC 2 Type IIISO 27001ISO 27017ISO 27018

Legal framework

GDPR Art. 28— every processor is bound by a written Data Processing Agreement with documented instructions, confidentiality obligations, security measures, sub-processor terms, and audit rights.
GDPR Art. 46 / Chapter V— transfers outside the EEA rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the EU-US Data Privacy Framework where the vendor is certified, or local-EEA residency where available.
GDPR Art. 28(4)— HumanKey discloses sub-processors via link-out to each vendor's own public list; the Controller is notified in advance of any material change and may object per Section 5 of the HumanKey Data Processing Agreement.
AI Act Regulation (EU) 2024/1689 Art. 50— where an AI vendor is engaged, HumanKey acts as a deployer (Art. 3(4)); transparency obligations for the public chatbot surface are documented on the AI Transparency page.

We update this page whenever a sub-processor is added, removed, or replaced. Material changes are communicated by email to account holders with active subscriptions with at least 14 days' notice (30 days for Enterprise plans). This page was last updated on 2026-04-20.