Legal
Sub-processors
Last updated: 29 May 2026
01
Who we share data with
To run Stori we use a small set of third-party processors, each acting on our behalf and receiving only what their function needs. US transfers rely on the mechanism noted in the last column.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hetzner Cloud | Hosting, Postgres database, file attachmentsAll account and work content at rest | Germany (EU) | — |
| Amazon Web Services (SES) | Transactional email (sign-in links, invites, billing)Email address, name, message content | Frankfurt, eu-central-1 (EU) | — |
| Stripe | Payments and billingBilling identifiers; payment details held by Stripe (we never see card data) | USA | EU–US Data Privacy Framework |
| Backblaze | Encrypted off-site backupsBackups of the data above | USA | Standard Contractual Clauses |
| Healthchecks.io | Monitoring pings for backup jobsJob heartbeats only — no customer content | USA | Standard Contractual Clauses |
02
Kept in-house
Error tracking runs on our own server in Germany — error reports are not sent to a third-party service. We don’t use analytics, advertising, or tracking processors.
03
Data Processing Agreement (AVV)
If you process personal data of your own users inside Stori, you may need a Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag) with us under Art. 28 GDPR. Request one at hey@stori.zone and we’ll send a copy to sign.
04
Changes
We’ll update this page when we add or remove a sub-processor. See our Privacy Policy for how we handle data overall.