LEGAL
Sub-processors
Last updated:
Version
- Version: 1.1
- Effective date: 2026-07-03
- Owner: Kotao GmbH, Cologne, Germany
- Counsel review: role classification and transfer-basis wording were legally reviewed and approved on 2026-07-03. This page is the operational publication used with the Data Processing Agreement and does not replace legal advice for customer-specific transfer assessments.
Scope
This page lists third-party providers that may process personal data for Kotao when we operate the platform, marketing site, email delivery, payments, observability, analytics, and optional AI features. It consolidates the sub-processor information referenced from the Privacy Policy and Data Processing Agreement.
Sub-processor list
| Sub-processor | Purpose | Processing Region | Transfer basis |
|---|---|---|---|
| Cloudflare | DNS, CDN, WAF, edge security, image delivery, cache, and traffic routing for public and application surfaces. | Global edge network; account and support access may occur from the United States. | EU-U.S. Data Privacy Framework (DPF) for certified U.S. transfers and Standard Contractual Clauses (SCC) as required under Cloudflare’s DPA. |
| Neon | Managed Postgres databases, connection pooling, backups, and database operations for application data. | Selected EU database regions for production workloads where configured; support and service operations may involve the United States and vendor subprocessors. | Neon DPA/SCC for transfers outside the EEA; DPF/SCC may apply to Neon’s certified downstream U.S. providers where available. |
| Kotao Payments processors | Payment processing, billing, checkout, fraud controls, tax/payment records, and payout-related processing. | EEA/United Kingdom and the applicable processor network, depending on payment method, merchant, and end-customer location. | DPF, SCC, or equivalent transfer controls where required for the applicable processor. |
| Resend | Transactional and product email delivery, including newsletter double opt-in and operational notifications. | United States. | Resend DPF certification and Resend DPA/SCC. |
| Amazon SES | Email relay infrastructure and delivery logs used directly or through email providers. | AWS regions selected for service delivery and global email routing; U.S. access may occur for support and operations. | AWS DPF certification and AWS GDPR DPA/SCC. |
| PostHog | Consent-gated product analytics, event funnels, feature usage analysis, and product telemetry. | PostHog Cloud EU, hosted in Frankfurt, Germany; PostHog subprocessors may process support or service data outside the EEA. | EU hosting for primary analytics data; SCC/DPF controls for third-country access by PostHog or its subprocessors where applicable. |
| Sentry | Error monitoring, release health, stack traces, performance telemetry, and source-map processing. | United States and service locations used by Sentry for its hosted observability platform. | Sentry Data Privacy Framework (DPF) and SCC/UK Addendum as set out in Sentry’s DPA. |
| OpenAI | Optional AI features, prompt/completion processing, embeddings, and safety/abuse monitoring when AI modules are enabled. | OpenAI Ireland for EEA and Swiss customer data under OpenAI’s DPA; transfers to OpenAI affiliates or third parties outside the EEA may occur to provide the services. | OpenAI DPA with SCC or adequacy decision for transfers outside the EEA/Switzerland. |
Change notice and objections
Kotao will give at least 30 days prior notice before adding a new sub-processor or making a material change to the purpose, region, or transfer basis of an existing sub-processor. Notice may be sent to the account contact, published on this page, or provided through another contractual notice channel. Customers may object during the 30-day notice period under the Data Processing Agreement.
To subscribe to change notices or raise an objection, contact legal@kotao.com with the subject line Sub-processor notice.
Changelog
- 2026-07-03 — v1.1: Counsel review completed and approval documented; review marker removed. No substantive changes to the list.
- 2026-06-25 — v1.0: Initial publication of named sub-processors, purposes, processing regions, transfer bases, 30-day change-notice procedure, and counsel-review marker.
Legal context
Other documents.
Privacy, security, terms, and usage rules should be read together when evaluating Kotao for multiple teams.
-
Acceptable Use Policy
Activities prohibited on the Kotao platform.
-
Cookie Policy
How Kotao uses cookies and similar technologies.
-
Data Processing Agreement
Kotao's Data Processing Agreement under Art. 28 GDPR.
-
Illegal Content Reports (DSA)
Notice-and-action mechanism under Art. 16 DSA and Kotao GmbH's points of contact.
-
Imprint
Legal entity information for Kotao GmbH per § 5 DDG.
-
Kotao Payments Terms
Supplementary terms for the integrated payment processing on the Kotao platform.
-
Privacy Policy
How Kotao GmbH collects, uses, and protects your personal data under GDPR.
-
Security Disclosure
How to report security vulnerabilities to Kotao.
-
Terms of Service
The terms governing the use of Kotao's platform and services.