Sub-processors
These are the third parties VectorFlow Cloud entrusts with customer data to deliver the service. We give existing customers 30 days’ advance notice before adding any new sub-processor to this list.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, RDS, KMS, S3, ECS — primary infrastructure | eu-west-2 (London) by default; us-east-1 on request | AWS Data Processing Addendum + Standard Contractual Clauses |
| Stripe | Subscription billing, invoicing, tax | United States (Stripe DPA) | Stripe Data Processing Agreement |
| Resend | Transactional email (magic links, billing receipts, alerts) | United States | Resend Data Processing Agreement |
| Sentry | Server error tracking — PII scrubbed in `beforeSend` before transmission | United States | Sentry Data Processing Agreement |
| Cloudflare | DNS, edge routing, DDoS protection | Global | Cloudflare Data Processing Addendum |
| PostHog (self-hosted on VectorFlow stamps) | Product telemetry; opt-in per organization via `OrganizationSettings.telemetryEnabled` | eu-west-2 by default; tracks stamp region | N/A — self-hosted; data never leaves the VectorFlow trust boundary |
What we do not process through third parties
- Raw log data never reaches our control plane and therefore never reaches any sub-processor.
- Customer secrets in plaintext never leave the encrypted Postgres column. Sub-processors that touch the database only see ciphertext.
- Analytics on customer behaviour beyond error-tracking telemetry. We do not use third-party product analytics that ship identifiable usage data off-platform.
Return to Trust & Security overview.