Compliance · Sub-processors

Who we trust with your data.

Public list of sub-processors used by TheoCloud, the usetheo.dev site, and the OSS funnel. Every entry: name (where disclosable), purpose, region, DPA status. Updated on every change with 30-day advance notice to existing customers via email and on this page (date stamped at bottom).

Infrastructure

Major US/EU hyperscaler (named under MSA NDA)

DPA: Signed

Compute + storage for TheoCloud runtime

Region: US-East / EU-West (customer-selectable)

Cloudflare

DPA: Signed

CDN, DNS, edge TLS termination, WAF for usetheo.dev

Region: Global edge

GitHub

DPA: Standard

Source code hosting for OSS funnel (TheoCode, TheoCreate, TheoKit) + customer Git source on TheoCloud deploys

Region: US

Sigstore (public-good infra)

DPA: Standard

Container image signing + transparency log (provenance attestation)

Region: US-led, multi-cloud

Container registry (named under MSA NDA)

DPA: Signed

Signed OCI image hosting for TheoCloud deploys

Region: US-East / EU-West

Observability

Sentry

DPA: Signed

Application error tracking (own backend services only; customer apps do not export to Sentry unless they configure it)

Region: US (customer can request EU)

OpenTelemetry Collector (self-hosted)

DPA: Standard

Internal metric + trace collection for TheoCloud runtime

Region: Same region as PaaS workload

Identity & auth

Auth provider (final selection locks Q3 2026 — Auth0 or Clerk; current candidate named under MSA NDA on request)

DPA: Signed

User authentication for usetheo.dev account portal

Region: US (Auth0) / US (Clerk)

Communications

Postmark

DPA: Signed

Transactional email (account, billing, alerts)

Region: US

Discord

DPA: Standard

Community channel (not used for support PII)

Region: US

Analytics

Plausible Analytics (self-hosted, EU)

DPA: Standard

Privacy-respecting site analytics (no IP storage, no cross-site tracking, GDPR/LGPD-compliant by design)

Region: EU

Payments

Stripe

DPA: Signed

Subscription billing (Pro, Team, Enterprise tiers)

Region: US (data) / regional payment partners

Two vendors named under MSA NDA

The hyperscaler providing compute and the container registry are listed without explicit vendor name on this public page. Both have NDA terms that bind public naming. Enterprise customers receive the named identity under their MSA NDA on request.

Read the DPA template

Full Data Processing Agreement: 8 standard clauses, GDPR + LGPD aligned, breach notification 24h, audit rights, sub-processor advance notice.

Ask about a specific vendor

Need named identity of NDA vendors under MSA? Or asking about a sub-processor we don't list? Email dpa@usetheo.dev.

Last updated: 2026-05-16. Existing customers receive 30-day advance notice via email on any change. Subscribe to /changelog for the full history.