Subprocessor List

Last updated: June 21, 2026

This page identifies external providers that may process personal data to help Mosaicora deliver the Service. A provider’s role can vary by service. Stripe and Sold through Link also act independently for merchant-of-record activities.

1. Mosaicora-operated infrastructure

Core account data and Customer Content are processed on Mosaicora-operated infrastructure in the European Economic Area. Internal software, network topology, hosts, and security architecture are intentionally not published because they are not external subprocessors and disclosure could create security risk.

2. External providers

Cloudflare, Inc.

Purpose
Content delivery, traffic security, edge processing, and payment-webhook transport.
Data
IP addresses, request metadata, public content, and limited account or transaction identifiers.
Location
Global network, with transfers covered by Cloudflare’s DPA and applicable transfer safeguards.

PostHog, Inc.

Purpose
Optional product and website analytics after consent.
Data
Usage events, page interactions, device details, account identifier when signed in, and IP-derived region.
Location
European Union cloud region.

Plus Five Five, Inc. (Resend)

Purpose
Transactional and service email delivery.
Data
Recipient name and email, delivery metadata, and message content.
Location
United States, with the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.

Functional Software, Inc. (Sentry)

Purpose
Application error monitoring and incident diagnosis.
Data
Error details, request diagnostics, device information, and minimized account or technical identifiers.
Location
Configured service region, with transfers governed by Sentry’s DPA and applicable safeguards.

Stripe group companies, including Sold through Link LLC

Purpose
Managed checkout, merchant-of-record services, payment, tax, fraud prevention, order management, refunds, and transaction support.
Data
Contact, billing, tax, order, subscription, payment, dispute, and support information.
Location
Global, processed under Stripe’s privacy terms and international transfer safeguards.

3. Changes, notice, and objections

We update this page before a material new subprocessor begins processing Customer personal data where reasonably possible. Business customers may request email notice by sending Subscribe to subprocessor notices. A customer may object on reasonable data-protection grounds within 14 days after notice. We will work in good faith on a reasonable alternative. If none is available, the customer may stop the affected processing or terminate the affected Service.