Change notifications
We notify customers at least 30 days before adding or replacing a sub-processor. Notifications are sent by email to the account contact and posted on this page. To subscribe to the change feed, email privacy@fotowall.io with the subject "Subscribe to subprocessor updates."
Per the DPA Section 6, customers may object to a new sub-processor on reasonable data-protection grounds during the notice period; if we cannot accommodate, you may terminate the affected portion of the Subscription with a pro-rated refund of prepaid, unused fees.
Current sub-processors
Google LLC — Google Cloud Platform / Firebase
- Purpose
- Hosting (Cloud Run), database (Firestore), object storage (Cloud Storage), authentication (Firebase Auth), abuse prevention (App Check / reCAPTCHA Enterprise)
- Data processed
- All Customer Personal Data (photos, captions, names, emails, account, telemetry)
- Processing location
- United States (us-east1, us-central1). EU residency available on Enterprise (europe-west1).
- Safeguards
- SCCs (2021/914) via Google's Data Processing and Security Terms; ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, HIPAA-eligible. Encryption at rest with Cloud KMS; TLS in transit.
- In use since
Cloudflare, Inc. — Cloudflare DNS, WAF, CDN, Bot Management
- Purpose
- DNS resolution, edge caching of static assets, denial-of-service protection, bot mitigation
- Data processed
- Connection metadata (IP, user-agent, request path). No content storage.
- Processing location
- Global edge network. Account metadata in the United States.
- Safeguards
- SCCs via Cloudflare's Data Processing Addendum; ISO 27001, ISO 27701, SOC 2 Type II, PCI DSS.
- In use since
Stripe, Inc. — Stripe Payments and Billing
- Purpose
- Payment card processing, invoicing, tax calculation, subscription billing
- Data processed
- Customer billing identifiers, transaction metadata. Card numbers are tokenized at the browser and never traverse Fotowall systems.
- Processing location
- United States (Stripe US data centers). Regional acquirers per Stripe geo.
- Safeguards
- SCCs via Stripe's DPA; PCI DSS Level 1, SOC 1/2, ISO 27001.
- In use since
Drip Holdings dba Resend — Resend transactional email
- Purpose
- Sending password resets, login links, DSAR acknowledgements, billing receipts, and transactional notifications
- Data processed
- Recipient email address, subject, body of transactional messages
- Processing location
- United States
- Safeguards
- SCCs via Resend DPA; SOC 2 Type II; TLS in transit; opportunistic at-rest encryption.
- In use since
Sentry (Functional Software, Inc.) — Sentry error monitoring
- Purpose
- Capture runtime errors and performance telemetry to keep the Service reliable
- Data processed
- Stack traces, browser/device class, user ID (pseudonymous), URL, timestamp. PII scrubbing on by default.
- Processing location
- United States (Sentry SaaS). EU region available on request.
- Safeguards
- SCCs via Sentry DPA; SOC 2 Type II, ISO 27001.
- In use since
Google LLC — Google Analytics 4 — GA4 (with Consent Mode v2)
- Purpose
- Aggregate marketing-site analytics. Loads only after the visitor opts in.
- Data processed
- Pseudonymous client ID, pageview metadata, IP (anonymized), consent state
- Processing location
- United States; data may transit Google's global network.
- Safeguards
- SCCs; IP anonymization on; cookies set only after consent; no GA ads features enabled.
- In use since
Affiliates
Fotowall may use its corporate affiliates as sub-processors for support, billing, and engineering on the same terms as third-party sub-processors. Any such use will appear on this page.
Out-of-scope tools
The following tools are not sub-processors because they do not Process Customer Personal Data: GitHub (source code only, no customer data), 1Password (internal credentials), Notion (internal docs with no customer PII), Linear (internal issue tracking).
Contact
Questions or objections: privacy@fotowall.io.