johan
/
clavitor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
clavitor/clavitor.ai/templates/subprocessors.tmpl

101 lines
4.5 KiB
Cheetah
Raw Blame History

{{define "subprocessors"}}
<div class="hero container">
<p class="label mb-3">Legal</p>
<h1 class="mb-6">Subprocessors</h1>
<p class="lead mb-8">Third parties that process data on behalf of Clavitor. All are GDPR-compliant and contractually bound to data protection standards equivalent to our own.</p>
</div>
<hr class="divider">
<div class="section container prose-width">
<h2 class="mb-4">Infrastructure & Hosting</h2>
<p class="mb-6">Clavitor operates 21 Points of Presence (POPs) across six continents. Your vault data is stored encrypted at the POP nearest to you, with backups to geographically distant POPs for resilience. The complete list of POPs with cities, providers, and compliance certifications is maintained in our <a href="/pops">POP database</a>.</p>
<table class="data-table mb-8">
<thead>
<tr><th>Provider</th><th>Scope</th><th>Data Type</th><th>Certifications</th></tr>
</thead>
<tbody>
<tr>
<td><strong>Amazon Web Services (AWS)</strong></td>
<td>21 Points of Presence (POPs) across six continents. <a href="/pops">Full list in database</a>.</td>
<td>Encrypted vault data, metadata, logs</td>
<td>SOC 2 Type II, ISO 27001, GDPR</td>
</tr>
<tr>
<td><strong>Hostkey</strong></td>
<td>Zürich (2 servers: HQ operations + POP)</td>
<td>Administrative operations, billing infrastructure (HQ); Encrypted vault data (POP)</td>
<td>ISO 27001, GDPR</td>
</tr>
<tr>
<td><strong>ISHosting</strong></td>
<td>Istanbul (Turkey), Almaty (Kazakhstan)</td>
<td>Encrypted vault data — regional POPs</td>
<td>Regional compliance</td>
</tr>
<tr>
<td><strong>HostAfrica</strong></td>
<td>Lagos (Nigeria), Nairobi (Kenya)</td>
<td>Encrypted vault data — regional POPs</td>
<td>Regional compliance</td>
</tr>
<tr>
<td><strong>Cloudflare</strong></td>
<td>Global DNS resolution</td>
<td>Domain resolution only — no vault data</td>
<td>SOC 2 Type II, ISO 27001, GDPR</td>
</tr>
</tbody>
</table>
<h2 class="mb-4">Payment Processing</h2>
<table class="data-table mb-8">
<thead>
<tr><th>Provider</th><th>Function</th><th>Data Processed</th><th>Certifications</th></tr>
</thead>
<tbody>
<tr>
<td><strong>Paddle</strong></td>
<td>Subscription billing, payment processing</td>
<td>Payment method (tokenized), billing address, invoice data</td>
<td>PCI DSS Level 1, SOC 2 Type II, GDPR</td>
</tr>
</tbody>
</table>
<h2 class="mb-4">Infrastructure Services</h2>
<table class="data-table mb-8">
<thead>
<tr><th>Function</th><th>Provider</th><th>Data</th></tr>
</thead>
<tbody>
<tr>
<td>DNS resolution</td>
<td><strong>Cloudflare</strong></td>
<td>Domain queries only — no vault data ever touches Cloudflare</td>
</tr>
<tr>
<td>Transactional email</td>
<td>Self-hosted (Zürich HQ)</td>
<td>Email address, vault-related notifications</td>
</tr>
</tbody>
</table>
<h2 class="mb-4">What We Don't Use</h2>
<p class="mb-4">We deliberately avoid common subprocessors that compromise privacy:</p>
<ul class="mb-6">
<li><strong>No Google:</strong> No Analytics, no Fonts, no reCAPTCHA, no Firebase</li>
<li><strong>No Meta/Facebook:</strong> No tracking pixels, no social plugins</li>
<li><strong>No third-party CDNs:</strong> All assets served from our own POPs (Cloudflare is DNS-only, never proxy/CDN)</li>
<li><strong>No marketing platforms:</strong> No Mailchimp, HubSpot, or similar</li>
<li><strong>No cloud logging:</strong> Logs stay within our infrastructure</li>
</ul>
<h2 class="mb-4">Updates</h2>
<p class="mb-4">We notify all active subscribers 30 days before adding any new subprocessor. For critical security updates, shorter notice may apply with immediate notification.</p>
<p class="text-sm text-tertiary">Last updated: April 2026</p>
</div>
{{end}}
Reference in New Issue View Git Blame Copy Permalink