Last updated: 16 July 2026
This page lists the third-party subprocessors that DUMA DIGITAL SOLUTIONS S.R.L. engages to help operate SYNCDATE. Each is bound by a data processing agreement and, for transfers outside the EEA, by the safeguards noted below. This list is derived from our actual production stack, not from vendors we merely evaluate.
| Subprocessor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| **Hetzner Online GmbH** | Application hosting, databases (PostgreSQL, Redis), CMS | All service data | EU (Germany — Nuremberg/Falkenstein; Finland — Helsinki); ISO/IEC 27001:2022 certified | N/A — data stays in the EU/EEA |
| **Cloudflare, Inc.** | DNS, CDN, TLS termination, DDoS/WAF | Traffic in transit (proxied requests, IP addresses, request metadata); no calendar data stored | United States (global edge) | SCCs + EU–US Data Privacy Framework |
| **Stripe** (Stripe Payments Europe Ltd / Stripe, Inc.) | Payments, subscriptions, invoicing, tax | Billing contact, payment method, invoice data — no calendar data | EU / United States | SCCs + EU–US Data Privacy Framework |
| **Postmark** (AC PM LLC / ActiveCampaign) | Transactional email (account, billing, lifecycle, and team-invite messages) | Email address, name, notification content | United States | SCCs + EU–US Data Privacy Framework |
| **Backblaze, Inc.** | Off-site database backups (private bucket, 90-day retention) | Database snapshots (all service data). OAuth tokens inside remain AES-256-GCM encrypted; other data is stored in the backup without additional client-side encryption | United States (private, access-restricted bucket) | SCCs + EU–US Data Privacy Framework |
| **Amazon Web Services (AWS Lambda)** | US-egress proxy for geo-blocked iCal feeds only — used solely when a feed blocks EU IPs; conditional, off by default | iCal feed URLs and fetched feed content for affected feeds only | United States (us-east-1) | SCCs + EU–US Data Privacy Framework |
| **Google (Google Analytics / GA4)** | Product and usage analytics (when active) | Anonymized usage and device data (e.g., IP address, browser type, pages viewed) | United States | SCCs + EU–US Data Privacy Framework |
| **Contentsquare** (ContentSquare SAS, France) | Session recording, heatmaps, behavioral analytics | Anonymized interaction data (clicks, scrolls, mouse movements, page URLs, viewport size) | EU (France) | N/A — data stays in the EU/EEA |
Calendar providers you connect
The calendar providers you connect — Google, Microsoft (Graph), and CalDAV hosts such as Apple iCloud, Fastmail, and Nextcloud — are not subprocessors. You contract with them directly and direct SYNCDATE to exchange calendar data with them on your behalf; they act as independent controllers or processors under their own terms.
AI clients you connect
If you authorize an AI client via the Model Context Protocol (MCP), the AI provider operating that client receives only the data you instruct it to access, under its own terms and privacy policy. AI providers are not general subprocessors of SYNCDATE; they receive data solely in response to your authenticated requests. You can revoke any connected agent at any time from the Connected Agents page in your dashboard.
Self-hosted components (not subprocessors)
Our CMS (Strapi), analytics data store, and observability pipeline run on the Hetzner infrastructure listed above and do not involve additional third-party data sharing.
Changes to this list
We give advance notice before adding or replacing a subprocessor. Material changes to this list are reflected here, and where a change affects the processing of your data we will notify affected customers before it takes effect.
Questions about this list: support@syncdate.app.