List of Sub-processors
(Last updated: July 6, 2026)
This list forms an addendum to the Data Processing Addendum (DPA) between VeroMotion s.r.o. (operating Raflia.com) and the Customer (Controller). It details the sub-processors authorized to process personal data on behalf of the Processor in connection with the Raflia service. To receive notifications about updates, contact info@raflia.com.
Infrastructure & Hosting
Hetzner Online GmbH
- Data location: EU (Falkenstein / Nuremberg, Germany)
- Purpose: Cloud hosting (VPS), S3-compatible object storage, server infrastructure
- Data processed: All Customer Data (database, stored files)
- Safeguards: EU-based, subject to GDPR
Content Delivery Network
BunnyWay d.o.o. (Bunny.net)
- Company location: EU (Slovenia); global edge network
- Purpose: Serving public static assets only — team logos, project/tool icons, and web fonts — via cdn.raflia.com
- Data processed: The visitor’s IP address when their browser fetches a public asset. No database, entry, or participant data passes through the CDN.
- Safeguards: EU-based company, GDPR data-processing terms
Backup Storage
Hetzner Online GmbH (Object Storage)
- Data location: EU (Falkenstein, Germany)
- Purpose: Encrypted database backups
- Data processed: All Customer Data (as part of backups)
- Safeguards: EU-based, subject to GDPR (same provider as hosting above)
Error Monitoring
Functional Software, Inc. (Sentry)
- Data location: EU (organization data-storage region set to European Union)
- Purpose: Application error and performance monitoring
- Data processed: Technical data, error context (may include IP addresses or identifiers in stack traces)
- Safeguards: EU data-storage region; GDPR processing terms. Follow-up: scrub fraud identifiers (hashes, IPs) from error payloads (DPIA note).
Amazon Web Services EMEA SARL (AWS SES)
- Data location: EU (Frankfurt, Germany)
- Purpose: Transactional email delivery (notifications, invitations, password resets)
- Data processed: Email addresses, notification content
- Safeguards: EU-based, GDPR-compliant processing terms, SCCs
Payment Processing
Stripe Payments Europe, Limited
- Data location: EU (Ireland)
- Purpose: Subscription and card payments, payment methods, invoicing
- Data processed: Billing data, payment card tokens, transaction records
- Safeguards: PCI DSS Level 1, EU-based, GDPR-compliant processing terms
Bot Protection
Cloudflare, Inc. (Turnstile)
- Company location: US; global network
- Purpose: CAPTCHA / anti-bot protection on sign-up and forms
- Data processed: IP address and limited technical data for the bot challenge
- Safeguards: EU-US Data Privacy Framework + SCCs. Turnstile is privacy-preserving and does not use tracking cookies (chosen over Google reCAPTCHA specifically to avoid device/cookie tracking and Google data-sharing).
- Note: Cloudflare is also used for DNS only (DNS resolution isn’t processing of personal data, so it isn’t a sub-processor in that role).
Cookie Consent Management
iubenda s.r.l.
- Data location: EU (Italy)
- Purpose: Managing cookie consent on the WordPress marketing site (the app uses a built-in consent tool)
- Data processed: IP addresses (anonymized), cookie preferences, device information
- Safeguards: EU-based, subject to GDPR
Accounting & Billing Support
sehorsini s.r.o.
- Data location: EU (Czech Republic)
- Purpose: Accounting, invoicing, and tax support
- Data processed: Customer names, billing data, invoice details
- Safeguards: EU-based, subject to GDPR