1. Mosaicora-operated infrastructure
Core account data and Customer Content are processed on Mosaicora-operated infrastructure in the European Economic Area. Internal software, network topology, hosts, and security architecture are intentionally not published because they are not external subprocessors and disclosure could create security risk.
2. External providers
Cloudflare, Inc.
- Purpose
- Content delivery, traffic security, edge processing, and payment-webhook transport.
- Data
- IP addresses, request metadata, public content, and limited account or transaction identifiers.
- Location
- Global network, with transfers covered by Cloudflare’s DPA and applicable transfer safeguards.
PostHog, Inc.
- Purpose
- Optional product and website analytics after consent.
- Data
- Usage events, page interactions, device details, account identifier when signed in, and IP-derived region.
- Location
- European Union cloud region.
Plus Five Five, Inc. (Resend)
- Purpose
- Transactional and service email delivery.
- Data
- Recipient name and email, delivery metadata, and message content.
- Location
- United States, with the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
Functional Software, Inc. (Sentry)
- Purpose
- Application error monitoring and incident diagnosis.
- Data
- Error details, request diagnostics, device information, and minimized account or technical identifiers.
- Location
- Configured service region, with transfers governed by Sentry’s DPA and applicable safeguards.
Stripe group companies, including Sold through Link LLC
- Purpose
- Managed checkout, merchant-of-record services, payment, tax, fraud prevention, order management, refunds, and transaction support.
- Data
- Contact, billing, tax, order, subscription, payment, dispute, and support information.
- Location
- Global, processed under Stripe’s privacy terms and international transfer safeguards.
3. Changes, notice, and objections
We update this page before a material new subprocessor begins processing Customer personal data where reasonably possible. Business customers may request email notice by sending Subscribe to subprocessor notices. A customer may object on reasonable data-protection grounds within 14 days after notice. We will work in good faith on a reasonable alternative. If none is available, the customer may stop the affected processing or terminate the affected Service.