Legal & Compliance
GDPR Article 28
Sub-processors
Valpero uses the following third-party sub-processors to provide the Service. All processors are bound by data processing agreements (DPAs) and are required to handle your data in accordance with GDPR and applicable data protection law.
A sub-processor is any third party that Valpero engages to process personal data on your behalf as part of delivering the Service. We limit sub-processor access to the minimum necessary for each service, and we do not sell or share personal data for advertising purposes.
| Company & Purpose | Location | Security & Compliance |
|---|---|---|
| Hetzner Cloud GmbH Infrastructure hosting — VPS servers running the Valpero application, monitoring workers, and all associated compute | Germany (EU) | ISO 27001 GDPR-compliant DPA in place |
| PostgreSQL + TimescaleDB on Hetzner Primary database — stores user accounts, monitor configurations, uptime check results, and incident history | Germany (EU) | Encrypted at rest AES-256 full-disk encryption |
| Redis on Hetzner In-memory cache and task queue — used for rate limiting, session management, and background job scheduling. Does not persist personal data to disk. | Germany (EU) | In-memory only No personal data persisted to disk |
| Google LLC OAuth 2.0 login — allows users to sign in with their Google account. Safe Browsing API may be used for URL validation. | United States | Google Cloud DPA Standard Contractual Clauses (SCCs) |
| GitHub, Inc. OAuth 2.0 login — allows users to sign in with their GitHub account. Only basic profile information (name, email, avatar) is accessed. | United States | GitHub DPA Standard Contractual Clauses (SCCs) |
| Lemon Squeezy LLC Payment processing and Merchant of Record — handles subscription billing, payment card data, and all tax/VAT compliance on behalf of Valpero. Valpero does not store card details; all payment data is managed by Lemon Squeezy. | United States | PCI DSS Level 1 DPA in place, SCCs available |
| Twilio SendGrid / SMTP Transactional email — used to send downtime alerts, SSL expiry warnings, account verification emails, and other operational notifications. | United States | SOC 2 Type II Data minimisation — only email address transferred |
Changes to this list: We will notify customers of any additions or material changes to this list of sub-processors with a minimum of 30 days advance notice before the new sub-processor begins processing data. Notification will be sent to the email address on file for your account. If you object to a new sub-processor, you may terminate your subscription before the change takes effect.