Sub-processors
Updated · 2026.05.20 · Revision 1.0 · 30-day notice on additions or replacements
Vornin uses the following sub-processors to deliver the service. We will notify tenants by email at least 30 days before adding or removing a sub-processor, giving you time to object before changes take effect.
| Sub-processor | Purpose | Data categories | Location | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting (app, worker, database) | All customer data | DE (Falkenstein, Helsinki) | DPA |
| Paddle.com Market Ltd. | Payments (Merchant of Record) | Billing email, name, card last-4, VAT | UK, IE | DPA |
| OpenAI, Inc. | AI vulnerability triage (opt-in per tenant) | Vulnerability titles, descriptions | US | DPA |
| Cloudflare, Inc. | Turnstile bot-protection on auth and contact | IP address, browser fingerprint | Global edge | DPA |
| Simply.com A/S | Transactional email + DNS | Recipient email, subject, body | DK | DPA |
| Functional Software, Inc. (Sentry) | Error monitoring | Stack traces, scrubbed request context | DE | DPA |
| Grafana Labs (Grafana Cloud) | Centralized application + worker log aggregation (Loki) | Application logs (PII-scrubbed before shipping) | EU (Frankfurt) | DPA |
| Better Stack (Logtail s.r.o.) | Public status page + uptime monitoring | Outbound HTTP probe results, IP of the monitor | EU (Prague) | DPA |
| Google LLC (Google OAuth) | Optional social sign-in (only when a user chooses "Continue with Google") | Email address, name, profile picture URL | US | DPA |
| GitHub, Inc. | Optional social sign-in (only when a user chooses "Continue with GitHub"); read-only code-repository access when a tenant connects a repo | Email address, GitHub username, repo metadata | US | DPA |
| Automattic, Inc. (WPScan) | WordPress vulnerability database lookups during WordPress scans | Hostname + WordPress version queried against vuln DB | US | DPA |
| Plausible Insights OÜ | Privacy-friendly, cookieless analytics on the public marketing site (vornin.com) only — never on the authenticated app |
Anonymous page views, referrer, country (no IPs persisted) | EU (Tallinn) | DPA |
| Cybot A/S (Cookiebot) | Cookie consent management on the public marketing site only | Consent state (anonymous identifier in browser local storage) | DK | DPA |
Change notifications
Owners on every active tenant receive an email whenever this list changes — additions, removals, or material purpose changes. The notice goes out at least 30 days before the change takes effect, with a one-click reply path to object. For machine-readable tracking, link the public page itself; it is the canonical source.
To receive change notifications outside the in-app channel, email privacy@vornin.com.