Data Processing

Subprocessors

Third-party services that process personal data on our behalf to deliver Thread Transfer services.

Change Notification

We notify customers via email at least 30 days before adding new subprocessors. Enterprise customers with a signed DPA may object to changes within 14 days.

Cloudflare

Hosting, CDN, DDoS protection, edge computing

Data processed:

IP addresses, request logs, session data

Location:

Global (EU data residency available)

SOC 2 Type IIISO 27001GDPR compliant

Cloudflare D1

Database storage

Data processed:

User accounts, workspace data, audit logs

Location:

EU (primary), US (replica)

SOC 2 Type IIISO 27001

Stripe

Payment processing

Data processed:

Payment details, billing address, transaction history

Location:

USA/EU (PCI DSS Level 1)

PCI DSS Level 1SOC 2 Type II

Google Analytics

Usage analytics

Data processed:

Anonymized page views, device info, referrer data

Location:

USA (EU data residency mode enabled)

ISO 27001SOC 2

Resend

Transactional email

Data processed:

Email addresses, email content

Location:

USA

SOC 2 Type II

Last updated: December 2025. This list is maintained in accordance with GDPR Article 28 requirements.

Questions about our subprocessors?

Contact our privacy team for details about data processing, locations, or to request our DPA.

privacy@thread-transfer.com