Sub-processor List

Last updated 26 May 2026

This page lists the third-party providers Glassbreak uses to operate the Service. We distinguish between infrastructure sub-processors (which handle encrypted Customer Data in some form, including ciphertext, metadata, and request-path data) and business sub-processors (which handle account or billing data but not Customer secret content).

Customers with an executed Data Processing Agreement may object to a proposed sub-processor on reasonable grounds during the 30 days' advance notice period described in section 13 of the Terms. The change log at the bottom of this page records every material change so customers can audit our sub-processor history.

Zero-knowledge boundary

All Customer secret content is encrypted on the user's device with AES-256-GCM under a key the user controls. Neither Glassbreak nor any sub-processor holds the decryption key. Sub-processors that handle Customer Data therefore handle ciphertext only— they cannot read the underlying secret, contact, or message content, even with full infrastructure access.

Account-level personal data (email, name, billing address) is held in cleartext by definition, and is the subject of the GDPR / UK GDPR / CCPA controller-to-processor relationship between you and us (and between us and our sub-processors).

1. Infrastructure sub-processors

Amazon Web Services (AWS)

Legal entity: Amazon Web Services, Inc. (US) and its regional affiliates
Role: Lambda compute (AWS vertical), S3 object storage, IAM, CloudWatch logs, CloudFront edge.
Processing location: us-east-1 (Lambda + S3); CloudFront edge worldwide.
Data categories: Ciphertext only (encrypted Customer Data); request-path metadata (IP, user agent) for audit logs; account email for delivery of transactional notifications via SES (if enabled).

Scaleway

Legal entity: Scaleway SAS (France)
Role: Serverless Functions (Scaleway vertical), Object Storage, Managed PostgreSQL, Serverless SQL, Edge Services.
Processing location: fr-par (Paris, EU).
Data categories: Ciphertext only (encrypted Customer Data); request-path metadata; controller account metadata. Hosts the EU-pure direct path (glassbreak.cloud).

Neon

Legal entity: Neon Inc. (US) — managed Postgres on AWS infrastructure
Role: Serverless PostgreSQL for the AWS vertical.
Processing location: aws-eu-central-1 (Frankfurt, EU).
Data categories: Encrypted secret ciphertext, account metadata (email, hashed password, MFA artefacts), audit log entries, team membership.

Fastly

Legal entity: Fastly, Inc. (US)
Role: Multi-origin CDN, request routing (sticky-cookie failover), DNS, TLS termination for glassbreak.io.
Processing location: Global edge; control plane in the US.
Data categories: Request-path metadata (IP, user agent, request URL). No body inspection. TLS is terminated at the edge; backends present their own certificates downstream.

Fly.io / Google Cloud

Legal entity: Fly.io, Inc. (US) and / or Google LLC (US) — selection in progress
Role: Planned third compute vertical (Phase 8 hard-disconnect path).
Processing location: TBD (target: at least one non-EU non-US region).
Data categories: Same scope as the other compute verticals once provisioned (ciphertext + metadata). Will be added to this page with 30 days' notice before going live.
Notes: Not yet onboarded. Listed here for transparency.

2. Business sub-processors

Stripe

Legal entity: Stripe, Inc. (US) / Stripe Payments Europe Ltd (Ireland)
Role: Payment processing, subscription billing, invoice issuance.
Processing location: Global (per Stripe routing); EU customers processed via Stripe Payments Europe Ltd.
Data categories: Account email, billing name, billing address, tax ID, card data (held by Stripe, not by Glassbreak), subscription state.

Postmark

Legal entity: ActiveCampaign, LLC d/b/a Postmark (US)
Role: Transactional email delivery (account verification, password resets, security alerts, notifications).
Processing location: US.
Data categories: Recipient email address, sender, subject, message body (transactional content only — never Customer secret content).

Plausible Analytics

Legal entity: Plausible Insights OÜ (Estonia)
Role: Privacy-respecting, cookie-free website analytics.
Processing location: EU (Estonia/Germany).
Data categories: Aggregate, anonymous traffic metrics. No cookies, no cross-site tracking, no IP storage, no personal identifiers.

GitHub

Legal entity: GitHub, Inc. (US) — Microsoft subsidiary
Role: Source code hosting, issue tracking, CI/CD via GitHub Actions, container registry.
Processing location: US.
Data categories: Glassbreak's own source code and CI metadata. No Customer Data is sent to GitHub. Public-disclosure security reports may be filed here at the reporter's request.

1Password

Legal entity: AgileBits Inc. (Canada)
Role: Internal secrets management for Glassbreak staff (infrastructure credentials, signing keys).
Processing location: AWS (US/EU).
Data categories: Glassbreak operational credentials only. No Customer Data. Listed for completeness — relevant to security posture, not to customer data processing.

3. International data transfers

Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that has not been the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) Module 2, the UK International Data Transfer Addendum (UK IDTA), and the Swiss FADP addendum, as applicable. The current SCC module is the 2021 Commission Implementing Decision (EU) 2021/914.

Customers subject to strict data residency requirements may route exclusively through the EU-pure glassbreak.cloud vertical (Scaleway compute and storage in fr-par; no US transit). See /technology/distributed for the vertical architecture.

4. Change log

We update this page whenever a sub-processor is added, removed, or has its role materially changed. The change log is append-only: removed sub-processors stay in the history with the date of removal. Customers with an executed DPA receive notice by email at least 30 days before any material change takes effect.

2026-05-26 — Initial publication of this standalone sub-processor list. Bunny CDN and Cloudflare removed (no longer in use); Fly.io/GCP marked as planned for Phase 8.

5. Contact

Questions or objections about a specific sub-processor: legal@glassbreak.io. General privacy enquiries: privacy@glassbreak.io.

This page is part of Glassbreak's Terms and Conditions and Privacy Policy by reference. It is provided for transparency and does not constitute legal advice.