G8KEPR uses a limited set of third-party sub-processors to deliver our service. This page enumerates them as required by GDPR Article 28, with DPA links and clear scope of the data each may access.
Last updated: 2026-05-09 · 30-day advance notice before adding new sub-processors
G8KEPR sensors run inside your infrastructure. The sub-processors below only have access to control-plane data (tenant configurations, billing, audit logs). Your API traffic, threat findings, AI gateway logs, and sensor telemetry remain in your VPC and are not sent to any sub-processor listed here. Only aggregated, scrubbed metrics cross the VPC boundary per our telemetry policy.
| Sub-Processor | Purpose | Data Accessed | Location | DPA |
|---|---|---|---|---|
DigitalOcean | Control plane hosting (API servers, database, object storage) | Tenant configurations, control-plane audit logs, billing data, customer metadata | United States (NYC) | View DPA → |
Stripe | Payment processing and subscription management | Billing contact information, payment metadata (no full card numbers — tokenized by Stripe) | Global (Stripe handles regional data residency) | View DPA → |
Sentry | Error tracking and crash reporting (control plane only) | Error metadata, stack traces, request context — no customer-VPC sensor data | United States | View DPA → |
SendGrid (Twilio) | Transactional email (account alerts, billing receipts, security notifications) | Email addresses, email content of transactional messages | United States | View DPA → |
Cloudflare | CDN, DDoS protection, and DNS (marketing site and pattern pack distribution channel) | Public marketing site traffic metadata; no authenticated user data | Global (edge nodes worldwide) | View DPA → |
GitHub (Microsoft) | Source code hosting, CI/CD pipelines, and cosign signing infrastructure | Source code only — no customer data stored in GitHub | United States | View DPA → |
Purpose: Control plane hosting (API servers, database, object storage)
Data: Tenant configurations, control-plane audit logs, billing data, customer metadata
Location: United States (NYC)
Purpose: Payment processing and subscription management
Data: Billing contact information, payment metadata (no full card numbers — tokenized by Stripe)
Location: Global (Stripe handles regional data residency)
Purpose: Error tracking and crash reporting (control plane only)
Data: Error metadata, stack traces, request context — no customer-VPC sensor data
Location: United States
Purpose: Transactional email (account alerts, billing receipts, security notifications)
Data: Email addresses, email content of transactional messages
Location: United States
Purpose: CDN, DDoS protection, and DNS (marketing site and pattern pack distribution channel)
Data: Public marketing site traffic metadata; no authenticated user data
Location: Global (edge nodes worldwide)
Purpose: Source code hosting, CI/CD pipelines, and cosign signing infrastructure
Data: Source code only — no customer data stored in GitHub
Location: United States
We provide at least 30 days' advance notice before adding a new sub-processor. Notifications go to the billing contact email on file for your account.
If you object to a new sub-processor within the notice period, contact security@g8kepr.com. We will work with you to find an alternative or discuss your specific requirements.
Contact our security team to discuss DPA execution, data residency requirements, or your specific compliance needs.