Sub-processor List
Last updated 10 July 2026
This page lists the third-party providers Glassbreak uses to operate the Service. We distinguish between infrastructure sub-processors (which handle encrypted Customer Data in some form, including ciphertext, metadata, and request-path data) and business sub-processors (which handle account or billing data but not Customer secret content).
Customers with an executed Data Processing Agreement may object to a proposed sub-processor on reasonable grounds during the 30 days' advance notice period described in section 13 of the Terms. The change log at the bottom of this page records every material change so customers can audit our sub-processor history.
Zero-knowledge boundary
All Customer secret content is encrypted on the user's device with AES-256-GCM under a key the user controls. Neither Glassbreak nor any sub-processor holds the decryption key. Sub-processors that handle Customer Data therefore handle ciphertext only— they cannot read the underlying secret, contact, or message content, even with full infrastructure access.
Account-level personal data (email, name, billing address) is held in cleartext by definition, and is the subject of the GDPR / UK GDPR / CCPA controller-to-processor relationship between you and us (and between us and our sub-processors).
1. Infrastructure sub-processors
Amazon Web Services (AWS)
- Legal entity
- Amazon Web Services, Inc. (US) and its regional affiliates
- Role
- VM compute and block storage for the AWS box; Amazon SES for transactional email.
- Processing location
- us-east-1 (United States).
- Data categories
- Ciphertext only (encrypted Customer Data); account metadata; request-path metadata (IP, user agent) for audit logs; recipient email address for transactional mail via SES.
Scaleway
- Legal entity
- Scaleway SAS (France)
- Role
- VM compute and block storage for the Scaleway box; Scaleway Transactional Email (TEM). Hosts the EU-direct door (glassbreak.cloud).
- Processing location
- fr-par (Paris, EU).
- Data categories
- Ciphertext only (encrypted Customer Data); account metadata; request-path metadata (IP, user agent); recipient email address for transactional mail via TEM.
Microsoft Azure
- Legal entity
- Microsoft Corporation (US)
- Role
- Planned third box (VM compute + block storage), roughly the same scope as the AWS and Scaleway boxes once live.
- Processing location
- TBD.
- Data categories
- Same scope as the other boxes once provisioned (ciphertext + metadata). Will be reflected here before going live.
- Notes
- Planned; not yet onboarded. Listed here for transparency.
Fastly
- Legal entity
- Fastly, Inc. (US)
- Role
- Multi-origin CDN, request routing (health-checked failover), DNS, TLS termination for glassbreak.io.
- Processing location
- Global edge; control plane in the US.
- Data categories
- Request-path metadata (IP, user agent, request URL). No body inspection. TLS is terminated at the edge; backends present their own certificates downstream.
Grafana Cloud
- Legal entity
- Grafana Labs (US)
- Role
- Observability platform: metrics, logs, traces, and dashboards for operating and securing the Service.
- Processing location
- Telemetry hosted in au-southeast-1 (Australia).
- Data categories
- Client IP addresses; request-path metadata (method, host, path, user agent, status); application and security logs that may include email addresses and user IDs in authentication and security events; PostgreSQL replication/pgaudit statement text (bound parameter values are NOT logged); and request traces. Never decrypted secret, contact, or message content (only operational data). Session tokens and passwords are redacted at the edge.
Twilio
- Legal entity
- Twilio Inc. (US)
- Role
- SMS and voice emergency-notification delivery.
- Processing location
- US / global carrier routing.
- Data categories
- Recipient phone numbers, message and call metadata, and delivery status. Never Customer secret content.
2. Business sub-processors
Stripe
- Legal entity
- Stripe, Inc. (US) / Stripe Payments Europe Ltd (Ireland)
- Role
- Payment processing, subscription billing, invoice issuance. Billing is not yet live (early access).
- Processing location
- Global (per Stripe routing); EU customers processed via Stripe Payments Europe Ltd.
- Data categories
- Account email, billing name, billing address, tax ID, card data (held by Stripe, not by Glassbreak), subscription state.
Plausible Analytics
- Legal entity
- Plausible Insights OÜ (Estonia)
- Role
- Privacy-respecting, cookie-free website analytics.
- Processing location
- EU (Estonia/Germany).
- Data categories
- Aggregate, anonymous traffic metrics. No cookies, no cross-site tracking, no IP storage, no personal identifiers.
GitHub
- Legal entity
- GitHub, Inc. (US) — Microsoft subsidiary
- Role
- Source code hosting, issue tracking, CI/CD via GitHub Actions, container registry.
- Processing location
- US.
- Data categories
- Glassbreak's own source code and CI metadata. No Customer Data is sent to GitHub. Public-disclosure security reports may be filed here at the reporter's request.
1Password
- Legal entity
- AgileBits Inc. (Canada)
- Role
- Internal secrets management for Glassbreak staff (infrastructure credentials, signing keys).
- Processing location
- AWS (US/EU).
- Data categories
- Glassbreak operational credentials only. No Customer Data. Listed for completeness — relevant to security posture, not to customer data processing.
3. International data transfers
Where personal data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country that has not been the subject of an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) Module 2, the UK International Data Transfer Addendum (UK IDTA), and the Swiss FADP addendum, as applicable. The current SCC module is the 2021 Commission Implementing Decision (EU) 2021/914.
Customers subject to strict data residency requirements may access the Service via the glassbreak.cloud door, which routes directly to the EU (Scaleway, fr-par) box. Because the two boxes form a single replicated cluster whose primary writer is currently on the AWS (US) box, writes transit to the US box. Full EU-only data residency, with writes isolated to the EU, is delivered by our Enterprise EU data-residency zone, which is currently in rollout. See /technology/distributed for the box architecture.
4. Change log
We update this page whenever a sub-processor is added, removed, or has its role materially changed. The change log is append-only: removed sub-processors stay in the history with the date of removal. Customers with an executed DPA receive notice by email at least 30 days before any material change takes effect.
- 2026-07-10 — Updated to the single-box architecture: Neon (managed Postgres) removed — each box now runs its own in-box PostgreSQL kept in sync by native streaming replication. Postmark removed; transactional email is now Amazon SES (AWS box) and Scaleway TEM. Grafana Cloud (observability, telemetry hosted in Australia) and Twilio (SMS/voice notifications) added. Planned third cloud changed from Fly.io/GCP to Microsoft Azure.
- 2026-05-26 — Initial publication of this standalone sub-processor list. Bunny CDN and Cloudflare removed (no longer in use).
5. Contact
Questions or objections about a specific sub-processor: legal@glassbreak.io. General privacy enquiries: privacy@glassbreak.io.
This page is part of Glassbreak's Terms and Conditions and Privacy Policy by reference. It is provided for transparency and does not constitute legal advice.