List of Sub-processors


(Last updated: July 6, 2026)

This list forms an addendum to the Data Processing Addendum (DPA) between VeroMotion s.r.o. (operating Raflia.com) and the Customer (Controller). It details the sub-processors authorized to process personal data on behalf of the Processor in connection with the Raflia service. To receive notifications about updates, contact info@raflia.com.

Infrastructure & Hosting

Hetzner Online GmbH

  • Data location: EU (Falkenstein / Nuremberg, Germany)
  • Purpose: Cloud hosting (VPS), S3-compatible object storage, server infrastructure
  • Data processed: All Customer Data (database, stored files)
  • Safeguards: EU-based, subject to GDPR

Content Delivery Network

BunnyWay d.o.o. (Bunny.net)

  • Company location: EU (Slovenia); global edge network
  • Purpose: Serving public static assets only — team logos, project/tool icons, and web fonts — via cdn.raflia.com
  • Data processed: The visitor’s IP address when their browser fetches a public asset. No database, entry, or participant data passes through the CDN.
  • Safeguards: EU-based company, GDPR data-processing terms

Backup Storage

Hetzner Online GmbH (Object Storage)

  • Data location: EU (Falkenstein, Germany)
  • Purpose: Encrypted database backups
  • Data processed: All Customer Data (as part of backups)
  • Safeguards: EU-based, subject to GDPR (same provider as hosting above)

Error Monitoring

Functional Software, Inc. (Sentry)

  • Data location: EU (organization data-storage region set to European Union)
  • Purpose: Application error and performance monitoring
  • Data processed: Technical data, error context (may include IP addresses or identifiers in stack traces)
  • Safeguards: EU data-storage region; GDPR processing terms. Follow-up: scrub fraud identifiers (hashes, IPs) from error payloads (DPIA note).

Email

Amazon Web Services EMEA SARL (AWS SES)

  • Data location: EU (Frankfurt, Germany)
  • Purpose: Transactional email delivery (notifications, invitations, password resets)
  • Data processed: Email addresses, notification content
  • Safeguards: EU-based, GDPR-compliant processing terms, SCCs

Payment Processing

Stripe Payments Europe, Limited

  • Data location: EU (Ireland)
  • Purpose: Subscription and card payments, payment methods, invoicing
  • Data processed: Billing data, payment card tokens, transaction records
  • Safeguards: PCI DSS Level 1, EU-based, GDPR-compliant processing terms

Bot Protection

Cloudflare, Inc. (Turnstile)

  • Company location: US; global network
  • Purpose: CAPTCHA / anti-bot protection on sign-up and forms
  • Data processed: IP address and limited technical data for the bot challenge
  • Safeguards: EU-US Data Privacy Framework + SCCs. Turnstile is privacy-preserving and does not use tracking cookies (chosen over Google reCAPTCHA specifically to avoid device/cookie tracking and Google data-sharing).
  • Note: Cloudflare is also used for DNS only (DNS resolution isn’t processing of personal data, so it isn’t a sub-processor in that role).

Cookie Consent Management

iubenda s.r.l.

  • Data location: EU (Italy)
  • Purpose: Managing cookie consent on the WordPress marketing site (the app uses a built-in consent tool)
  • Data processed: IP addresses (anonymized), cookie preferences, device information
  • Safeguards: EU-based, subject to GDPR

Accounting & Billing Support

sehorsini s.r.o.

  • Data location: EU (Czech Republic)
  • Purpose: Accounting, invoicing, and tax support
  • Data processed: Customer names, billing data, invoice details
  • Safeguards: EU-based, subject to GDPR