Legal
Subprocessors
Third parties that process data on behalf of Clavitor. All are GDPR-compliant and contractually bound to data protection standards equivalent to our own.
01
Infrastructure & hosting
Clavitor operates 21 Points of Presence (POPs) across six continents. Your vault data is stored encrypted at the POP nearest to you, with backups to geographically distant POPs for resilience. See the Looking Glass for the complete list of POPs with locations and latency.
| Provider | POPs | Scope | Data type | Certifications |
|---|---|---|---|---|
| Amazon Web Services, Inc. 410 Terry Ave N, Seattle, WA, USA | 17 | Primary provider for most regions | Encrypted vault data, metadata, logs | SOC 2 Type II, ISO 27001, GDPR |
| Webrain OÜ (is*hosting) Tallinn, Estonia | 3 | Istanbul, Almaty, Bogotá | Encrypted vault data — regional POPs | Regional compliance |
| Host Africa (Pty) Ltd 12 Helena Avenue, Somerset West, South Africa | 1 | Lagos | Encrypted vault data — regional POP | Regional compliance |
| Hostkey B.V. Willem Frederik Hermansstraat 91, Amsterdam, Netherlands | -- | Zürich HQ | Administrative operations, billing infrastructure | ISO 27001, GDPR |
| Cloudflare, Inc. 101 Townsend Street, San Francisco, CA, USA | -- | Global DNS resolution | Domain resolution only — no vault data | SOC 2 Type II, ISO 27001, GDPR |
02
Payment processing
| Provider | Function | Data processed | Certifications |
|---|---|---|---|
| Paddle.com Market Ltd Judd House, 18-29 Mora Street, London, UK | Subscription billing, payment processing | Payment method (tokenized), billing address, invoice data | PCI DSS Level 1, SOC 2 Type II, GDPR |
03
Communications & services
| Provider | Function | Data processed | Certifications |
|---|---|---|---|
| Proton AG Route de la Galaise 32, Plan-les-Ouates, Geneva, Switzerland | Transactional email | Email address, vault-related notifications | GDPR, Swiss FADP |
| Cloudflare, Inc. 101 Townsend Street, San Francisco, CA, USA | DNS resolution | Domain queries only — no vault data ever touches Cloudflare | SOC 2 Type II, ISO 27001, GDPR |
04
What we don't use
We deliberately avoid common subprocessors that compromise privacy:
- No Google: No Analytics, no Fonts, no reCAPTCHA, no Firebase
- No Meta/Facebook: No tracking pixels, no social plugins
- No third-party CDNs: All assets served from our own POPs (Cloudflare is DNS-only, never proxy/CDN)
- No marketing platforms: No Mailchimp, HubSpot, or similar
- No cloud logging: Logs stay within our infrastructure
05
Updates
We notify all active subscribers 30 days before adding any new subprocessor. For critical security updates, shorter notice may apply with immediate notification.
Last updated: May 2026