Skip to content
Menu
How it works Developers Use cases Pricing Security Docs Login Get API access

GDPR

Subprocessor List

This list identifies the third-party providers that may process customer data when exdata operates document extraction, billing, email, monitoring, support, and AI-assisted extraction workflows.

1. How Subprocessors Are Used

exdata uses subprocessors for defined service functions only. Data shared with a subprocessor is limited to what the provider needs for that function, such as hosting infrastructure, payment processing, transactional email, monitoring, support, or AI-assisted extraction.

Customer gives general authorization for listed subprocessors under the Data Processing Addendum. exdata will update this page or provide another reasonable notice channel before adding or replacing a production subprocessor that materially affects customer document processing.

Processing locations describe the intended production configuration or the provider’s published service location. Some providers also process limited account, support, security, billing, or operational metadata in other locations under their own data processing terms.

2. Current Subprocessors

Provider Purpose Data involved Processing location
Hetzner Application servers, database, queue workers, and self-managed Redis. Account data, uploaded documents, previews, extracted text, extracted fields, operational logs, queue metadata, and support context. European Union: Germany (Falkenstein or Nuremberg) or Finland (Helsinki), based on the selected Hetzner location.
Hetzner Object Storage Object storage for uploaded source files, previews, thumbnails, and generated document artifacts. Uploaded documents, generated previews, thumbnails, extracted text artifacts, and file metadata. European Union: Germany (Falkenstein or Nuremberg) or Finland (Helsinki), based on the selected bucket location.
Amazon Web Services Backup storage and restore support for production data and operational recovery workflows. Backup copies of customer data, application data, document artifacts, database exports, and operational recovery metadata. European Union: selected AWS Europe backup region, such as Frankfurt, Ireland, Paris, Milan, Spain, or Stockholm, unless another region is agreed for a customer deployment.
Stripe Checkout, payment processing, tax calculation, invoices, receipts, billing portal, and payment method handling. Billing contact data, tax IDs, payment metadata, invoice data, transaction references, and customer portal records. Ireland / EMEA for Stripe’s European entities. Additional Stripe subprocessors may process billing data in listed countries, including the United States and EU/UK locations.
Mailgun Account invitations, authentication emails, billing notices, support messages, and operational notifications. Email address, recipient name, notification content, delivery status, and delivery metadata. United States or European Union depending on the configured Mailgun domain and endpoint. Message data stays in the selected Mailgun region; limited account data may be replicated globally.
Postmark Transactional email delivery for account, authentication, billing, support, and operational messages. Email address, recipient name, notification content, delivery status, and delivery metadata. United States: primary Postmark data and servers are hosted outside Chicago and on AWS. Postmark does not currently offer EU-hosted servers.
OpenAI AI-assisted document extraction, field interpretation, and normalization support. Uploaded document content, extracted text, snippets, metadata, and prompts needed to produce extraction output. Depends on the OpenAI API project and endpoint. Europe (EEA and Switzerland) is available for eligible API projects when data residency is enabled; otherwise processing may occur in OpenAI’s standard service locations.
Laravel Nightwatch Application monitoring, error tracking, request diagnostics, alerting, and operational reliability workflows. Request metadata, error traces, environment metadata, diagnostic logs, account identifiers, and incident context. European Union when the Nightwatch EU data storage region is configured. Monitoring metadata may also be processed under Laravel’s provider and subprocessor terms.
Featurebase Support tooling, customer feedback, support conversations, product requests, and customer communication workflows. Contact details, account context, support messages, feedback content, attachment metadata, and product request context submitted by users. Primarily EEA. Ancillary services such as content delivery, DNS, email, support, or other authorized subprocessors may involve limited processing outside the EEA.

3. Objections And Questions

Customers may object to a new or replacement subprocessor on reasonable data protection grounds. Send questions or objections to support@exdata.app and include the customer account, affected service area, and the reason for the objection.

4. Related Documents

Review the Data Processing Addendum, Technical and Organizational Measures, and Privacy Policy for the broader processing terms.