Sub-processors
The third parties involved in operating LaunchPod. Last updated: April 19, 2026.
We keep the list of sub-processors deliberately small. Each one is here because it provides a capability we do not self-host, and each one sees only the minimum data required to do its job. Prompt and response content is only exposed to the LLM gateway and the underlying model provider, both of which operate under Zero Data Retention contractual terms.
If you're an EU business and need a Data Processing Agreement (DPA), email hello@santuri.io.
| Sub-processor | Purpose | Jurisdiction |
|---|---|---|
| Hetzner Online GmbH | VM hosting (per-customer dedicated virtual machines) | Finland and Germany, European Union |
| Cloudflare, Inc. | DNS, CDN, marketing site hosting, and secure tunnels to customer VMs | United States, with EU data residency for tunnel traffic |
| OpenRouter, Inc. | LLM gateway with Zero Data Retention (ZDR) contractual terms | United States |
| Fireworks AI | LLM inference for MiniMax M2.7 and other models via OpenRouter | United States |
| Clerk, Inc. | Authentication and session management | United States |
| Stripe, Inc. | Payment processing, subscription management, and billing portal | United States and Ireland |
| Supabase Inc. | Managed Postgres database for account and instance metadata | United States, database deployed in EU region |
| Tailscale Inc. | SSH admin proxy for internal operator access to customer VMs | Canada and United States |
What each one does and does not see
Hetzner
Hetzner operates the physical infrastructure your VM runs on. They see the raw encrypted block traffic and the compute you consume. They do not have access to the running memory of the VM. Full-disk encryption at rest is not enabled today — see the privacy commitment for details on what that means.
Cloudflare
Cloudflare terminates TLS for the marketing site and routes tunnel traffic to your VM. Tunnel traffic is end-to-end encrypted between the Cloudflare edge and your VM; Cloudflare sees metadata (timestamps, packet sizes) but not the plaintext of your bot's interactions.
OpenRouter + underlying model providers
OpenRouter is the gateway through which every model call is routed. We only use OpenRouter endpoints that are marked as Zero Data Retention — providers on these paths contractually agree not to log, retain, or train on prompts and responses. Fireworks AI currently serves MiniMax M2.7 inference under this arrangement. Other models on the platform are routed to their respective providers under the same ZDR constraint. We do not route to non-ZDR paths, even as a fallback.
Clerk
Clerk handles email, Google, and GitHub sign-in. Clerk sees your email address and the sign-in method you used. Clerk does not see anything on your VM or any prompt content.
Stripe
Stripe processes your payment method and maintains your subscription record. Stripe sees your card details, billing address, and subscription status. Stripe does not see anything on your VM or any prompt content.
Supabase
Supabase hosts the managed Postgres database that holds account and instance metadata (user ID, email, instance ID, status, timestamps, encrypted secrets). The database does not store prompt content or bot conversation history. Sensitive fields are AES-256-GCM encrypted at the application layer before being written.
Tailscale
Tailscale provides an authenticated mesh network that our internal operators use to connect to customer VMs for support and maintenance. Every operator action via Tailscale SSH is audited. Tailscale does not see plaintext prompt content; it carries encrypted SSH sessions.
Adding or changing a sub-processor
When we add a new sub-processor or materially change how an existing one is used, we will update this page and note the change in the next transparency report. For customers with a signed DPA, we will additionally notify by email at least 30 days in advance of the change taking effect.
Contact
Questions, DPA requests, or data-subject requests? Email us at hello@santuri.io.