Subprocessor list

⚠️ Draft. This list will evolve; exact providers and DPA details to be finalized.

Updated: 2026-05-06

A subprocessor is a third party that processes user data on our behalf (under a DPA — Data Processing Agreement). We are required to publish them transparently (GDPR Art. 28(2)).

1. Current list

#	Provider	Category	Data location	Processes	DPA
1	LiqPay (PrivatBank)	Payment provider	Ukraine	Email, amount, currency, country code (no card details)	LiqPay DPA
2	OpenRouter	LLM router	USA (infra), global network	Agent prompts (no identity)	DPA pending
3	Resend (or Postmark)	Email provider	USA / EU	Email address, transactional email body	DPA pending
4	Hetzner Online (planned)	Hosting (compute, storage)	Germany	Infrastructure logs, not content	Hetzner DPA
5	Cloudflare (planned, for DNS/CDN)	DNS, edge proxy	Global	Visitor IPs	Cloudflare DPA

2. How we select subprocessors

• GDPR compliance — DPA or equivalent must be in place
• Jurisdiction — EU preferred (Hetzner DE) where possible
• Security — SOC2 / ISO27001 / equivalent
• Transparency — public DPA, clear incident policy
• Integration — SCC (Standard Contractual Clauses) support for non-EU transfers

3. Subprocessor changes

When adding a new subprocessor we:

1. Publish the updated list here
2. Email active users 14 days before the effective date
3. Allow you to object — including by terminating the subscription without penalty

4. Internal subprocessors

The youself.io team (engineers, support) are internal data processors under our direct control. All have:

• Two-factor authentication (2FA)
• Signed NDA
• Least-privilege access
• Audit log on all actions

5. Data residency

Category	Region
Knowledge base content (Proxmox VM)	EU (Hetzner DE-FSN)
Postgres DB (billing, metadata)	EU (Hetzner DE-FSN)
Redis (cache, jobs)	EU (Hetzner DE-FSN)
LLM queries (via OpenRouter)	USA (LLM provider’s region)
Backups	EU (encrypted, 30-day retention)

6. Contact

Questions on DPA / subprocessors: privacy@youself.io