Subprocessor Registry
As a data processor under GDPR, Moral Fabric uses a small number of third-party services (subprocessors) to deliver our platform. We publish this list so your organisation always knows exactly who handles data on your behalf, what they process, and where.
Last updated: 23 February 2026
Core infrastructure & integrations
These services process personal data as part of core platform functionality. Each has a signed Data Processing Agreement and relevant security certifications.
| Vendor | Function | Data Categories | Location | Transfer Basis | DPA |
|---|---|---|---|---|---|
| Hetzner | Cloud hosting (VPS) | All data categories (encrypted at rest and in transit) | Germany / Finland | N/A (EEA only) | Signed |
| PostgreSQL | Database (self-hosted on Hetzner) | All member data (accounts, teams, roles, settings) | Germany | N/A (EEA only) | Signed |
| Asana | Governance sync (roles, teams, assignments) | Roles, team structure, task assignments, email addresses | United States | EU-US Data Privacy Framework | Signed |
| Slack | Change notifications | Member names, role changes, workspace activity | United States | EU-US Data Privacy Framework | Signed |
| Anthropic Claude | AI-powered analysis features | Workspace context provided for analysis (roles, team structure) | United States | EU-US Data Privacy Framework | Signed |
| Zitadel | Single Sign-On (optional, feature-flagged) | Credentials, email addresses, organization membership | EU / self-hosted | N/A (EEA only) | Signed |
Operational services
These services handle limited personal data for operational purposes like email delivery and error monitoring.
| Vendor | Function | Data Categories | Location | Transfer Basis | DPA |
|---|---|---|---|---|---|
| MailerSend | Transactional email delivery | Email addresses, notification content | European Union | N/A (EEA only) | Signed |
| Sentry | Error monitoring and performance tracking | Error logs, user context (anonymized), stack traces | United States | EU-US Data Privacy Framework | Signed |
Minimal data exposure
These services process no personal data or only non-identifying information like website domains or static assets.
| Vendor | Function | Data Categories | Location | Transfer Basis | DPA |
|---|---|---|---|---|---|
| Vercel | Frontend hosting and CDN | Static assets only (no user data processed) | United States (edge network) | EU-US Data Privacy Framework | Included in ToS |
| logo.dev | Company logo fetching | Website domains only (no personal data) | United States | EU-US Data Privacy Framework | Included in ToS |
Stay informed about changes
Under GDPR Article 28, we notify customers before adding or replacing subprocessors. Subscribe to receive these notifications by email.
Questions about data processing? Contact us at privacy@moralfabric.org