Clamp uses the following sub-processors to deliver the service. All visitor analytics data — events, sessions, dashboards — is stored exclusively in Germany on Hetzner infrastructure. The US-based sub-processors below cover billing, transactional email, and optional OAuth sign-in; all are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
Hetzner Online GmbH
- Purpose: Hosting (web app, API, databases, cache, MCP server)
- Location: Germany — Falkenstein and Nuremberg
- Transfer mechanism: Within EEA — no transfer mechanism required
- Data processed: All customer data and visitor analytics events
- Reference: hetzner.com/AV/DPA_en.pdf
Stripe Payments Europe Ltd / Stripe, Inc.
- Purpose: Subscription billing and payment processing
- Location: Ireland and United States
- Transfer mechanism: EU-US Data Privacy Framework + Standard Contractual Clauses
- Data processed: Billing contact, payment instrument metadata, invoice history
- Reference: stripe.com/legal/dpa
Resend (Drest, Inc.)
- Purpose: Transactional email (sign-in, password reset, billing)
- Location: United States
- Transfer mechanism: Standard Contractual Clauses
- Data processed: Recipient email address, message content
- Reference: resend.com/legal/dpa
GitHub, Inc.
- Purpose: Optional OAuth sign-in
- Location: United States
- Transfer mechanism: EU-US Data Privacy Framework + Standard Contractual Clauses
- Data processed: OAuth identifier, email address
- Reference: github.com/site-policy
Change notifications
We give 30 days' advance notice before adding a new sub-processor. To receive notifications, email privacy@mail.clamp.sh with the subject “Subscribe to sub-processor updates.” We also update the “Last updated” date on this page with each change, so procurement teams can monitor by polling the date.