Sub-processors
Last updated: · Operator: Arlualo LLC, 30 North Gould Street, Sheridan WY 82801, USA · Contact: [email protected]
A "sub-processor" is a third party we engage to process personal data on your behalf as part of providing Weft. We split them into always engaged (used by every Weft account) and only engaged when you opt in (Slack, Shopify, your IMAP provider, Google sign-in).
We notify changes to this list — and any new sub-processor — at least 30 days before the change takes effect. To subscribe to those notices, email [email protected] with the subject "Subprocessor updates" and we'll add you to the announcement list. Material changes are also posted on this page and announced in-app and by email to organisation owners.
The legal basis for this list is set out in the DPA; this page is the maintained register referenced from there.
Always engaged
| Sub-processor | Service | Data category | Location | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Application hosting (CCX23 cloud server), Postgres, Redis, MinIO object storage | All Customer Data | Helsinki, FI (EEA) | Within EEA — no transfer |
| Anthropic, PBC | AI inference — fallback for draft generation, classification and translation | Email subject + body, Shopify order summary, AI prompts | USA | EU SCCs (Module 2) + EU-US Data Privacy Framework |
| DeepSeek (Hangzhou DeepSeek AI Co., Ltd.) | AI inference — primary for draft generation, classification and translation (cost-optimised) | Email subject + body, Shopify order summary, AI prompts | China | EU SCCs (Module 2) + transfer impact assessment. Disabled per organisation on request — email us to switch to Anthropic-only routing. |
| Stripe Payments Europe Ltd | Subscription billing, tax, invoicing | Account email, organisation name, billing address (card data is held by Stripe — Weft never sees it) | Dublin, IE (EEA), with global processing by Stripe, Inc. | EU SCCs + EU-US DPF |
| Cloudflare, Inc. | DNS, CDN edge, DDoS protection, TLS termination | HTTP request metadata, IP address | Global edge network | EU SCCs + EU-US DPF |
| Functional Software, Inc. (Sentry) | Application error monitoring | Error stack traces, request metadata, hashed user ID | Frankfurt, DE (EU region selected) | Within EEA |
| Backblaze, Inc. | Encrypted off-site Postgres backups (AES-256, customer-controlled key) | Encrypted database snapshot — opaque to Backblaze | USA / EU (eu-central-003) | EU SCCs; backups are end-to-end encrypted before upload |
| Plausible Insights OÜ | Privacy-respecting marketing-site analytics (no cookies, no cross-site tracking) | Aggregate page-view counts only — no Customer Data | Tallinn, EE (EEA) | Within EEA |
Engaged only when you opt in
| Sub-processor | When engaged | Data category | Location | Transfer mechanism |
|---|---|---|---|---|
| Slack Technologies, LLC | When you install the Weft Slack app | Workspace + channel IDs, message text from connected channels, sender Slack user IDs and display names, emoji reactions, file metadata | USA | EU SCCs + EU-US DPF |
| Shopify, Inc. + Shopify International Limited | When you connect a Shopify store | Order numbers, totals, currencies, customer first/last name + email + phone, shipping/billing addresses, line items, fulfilment status, tracking numbers | Canada + Ireland (EEA) | Adequacy decision (Canada — PIPEDA) + within EEA (Ireland) |
| Your IMAP / SMTP provider | Always — Weft authenticates to the mailbox you connect | Mailbox credentials (encrypted at rest in Weft), inbound + outbound message content | Provider-dependent (you choose) | Per your provider's terms |
| Google LLC | When you sign in with Google OAuth | Email address, display name, OAuth identity token | USA | EU SCCs + EU-US DPF |
Past changes
None — Weft launched in May 2026. Future changes will be listed here with the announcement date and the effective date.