Legal
Subprocessors
Last updated: 2026-05-15 · Notification policy: 30 days before any addition
Even with zero-knowledge encryption, we need a small set of vendors to keep the lights on: cloud infrastructure, payment processing, transactional email. None of them have access to your file contents — they only see encrypted blobs or service metadata.
Current subprocessors
| Vendor | Service | Data accessed | Location |
|---|---|---|---|
| Cloudflare | CDN, DDoS protection, edge compute | Request metadata, IP addresses | Global edge |
| Hetzner Cloud | Application hosting | Encrypted file blobs, account metadata | Germany (EU) |
| Backblaze B2 | Cold storage backup | Encrypted backup blobs only | EU + US redundancy |
| Payment processor (TBD) | Billing for paid plans | Activated when paid plans go live | EU-based, certified |
| Postmark | Transactional email (verification, alerts) | Recipient email, message content | USA |
| Sentry | Error tracking and observability | Anonymized error context, stack traces | Germany (EU) |
What none of them ever see
- The plaintext contents of your files.
- Your filenames, folder structure, or file metadata.
- Your account password (we store an Argon2 hash, never the password itself).
- Encryption keys — these are derived locally on your devices, never sent to us.
Adding new subprocessors
We notify customers at least 30 days before adding a subprocessor that touches personal data. Subscribe to the notification list:
Subscribe to subprocessor notificationsData Processing Agreement
Business and Enterprise customers can request a signed DPA at legal@zeerga.com. Our standard DPA covers GDPR, UK GDPR, and the EU Standard Contractual Clauses.