Trust & Security

Subprocessors.

This page lists the third-party services that process customer data on behalf of Threat Detective, what each one does, and where that processing takes place.

Last updated: 16 April 2026

A subprocessor is a third party we use to process personal data on our behalf. We review each subprocessor for security and privacy posture before onboarding, and we maintain a Data Processing Agreement with each one where applicable.

Infrastructure

Services that host Threat Detective and route traffic to it.

Infrastructure subprocessors
Subprocessor	Purpose	Location
Hetzner	Dedicated bare-metal hosting for the application database (Postgres), cache (Redis), background workers, and web servers.	Germany (EU)
Cloudflare	TLS termination and edge proxy. All customer traffic passes through Cloudflare on its way to the origin (Full Strict TLS mode).	Global CDN (US-headquartered)

Authentication

Identity providers that customers may choose to sign in with. Used only when the customer selects that provider; we do not share data with these services otherwise.

Authentication subprocessors
Subprocessor	Purpose	Location
Google (Sign in with Google)	OpenID Connect sign-in when customers choose Google. Returns email address and profile name to Threat Detective.	United States / global
GitHub (Sign in with GitHub)	OAuth 2.0 sign-in when customers choose GitHub. Returns email address and profile name to Threat Detective.	United States / global

Application services

Services that support specific application functions, each scoped to the data they need and nothing else.

Application service subprocessors
Subprocessor	Purpose	Location
Postmark	Transactional email delivery: invitations, password resets, and in-application notifications.	United States
PostHog	Product analytics on the application: user events and session data. Pinned to the EU region.	European Union

Private Cloud

Private Cloud deployments may use a different set of subprocessors, agreed with the customer at contract time. The list above applies to our Standard plans.

Marketing website

Our marketing website (threatdetectivehq.com) uses additional third-party services for analytics, live chat, scheduling, and newsletter delivery. These services do not process customer application data. They are disclosed in our privacy policy.

What is not listed here

The following services support how we build, deploy, and operate Threat Detective, but they do not process customer personal data on our behalf and are therefore not subprocessors:

Read-only data sources we fetch vulnerability and advisory data from (NVD / NIST, GitHub Security Advisories). Outbound reads only; no customer data is sent.
Container registry for our deployment images (Docker Hub).
Internal tooling that does not touch customer data, including our secrets manager (1Password, EU tenant) and ops networking overlay (Tailscale).

Notification of changes

When we add, remove, or materially change a subprocessor, we update this page and notify customers by email. For material additions we aim to give at least 30 days notice before the new subprocessor begins processing customer data, where operationally possible.

To receive update notifications at an address other than your account email, write to privacy@threatdetectivehq.com.

Questions

For questions about a specific subprocessor or to request our Data Processing Addendum, contact privacy@threatdetectivehq.com.