Legal — Subprocessors

Subprocessors

Last updated: 22 January 2026

A "subprocessor" is a third-party vendor we use to provide the toSend Service. Under our Data Processing Agreement and applicable privacy laws (including GDPR Article 28), you have the right to know who they are, what they do, and where they process data.

We keep the list short on purpose. Every vendor below is bound by a written data-processing agreement and processes data only on our documented instructions.

Notice of new subprocessors

We notify active customers by email of any new subprocessor at least 7 days before it starts processing your data, giving you time to object. You can reach our team at support@tosend.com.

Current subprocessors

Amazon Web Services, Inc.

United States

Purpose: Email delivery via Amazon SES. Underlying compute and object storage for the sending pipeline.
Data processed: Email envelopes (from, to, subject), message bodies, sender reputation signals, bounce and complaint feedback.
Data-processing agreement: https://aws.amazon.com/compliance/gdpr-center/

Cloudflare, Inc.

United States

Purpose: Email data plane (Workers, D1 database, R2 object storage, KV cache, Queues, Analytics Engine) and hosting for the public marketing website (tosend.com) on Cloudflare Pages.
Data processed: API request metadata, email logs, message bodies (encrypted at rest, deleted after 30 days), suppression entries, webhook delivery logs, IP addresses, user-agent strings, public website access logs.
Data-processing agreement: https://www.cloudflare.com/cloudflare-customer-dpa/

Hetzner Online GmbH

Germany (European Union)

Purpose: Hosting for the customer dashboard (dash.tosend.com) — the control-plane UI where customers manage their account, domains, API keys, webhooks, and billing.
Data processed: Account identifiers (email, hashed password, session tokens), tenant and organization settings, domain verification records, API key metadata, webhook configuration, billing view data, IP addresses, user-agent strings, server logs, and any data submitted through dashboard forms. The email-sending data plane (message bodies, delivery metadata) and the public marketing website run on Cloudflare, not Hetzner.
Data-processing agreement: https://www.hetzner.com/legal/data-processing/

Stripe, Inc.

United States

Purpose: Payment processing, subscription billing, and credit purchases.
Data processed: Billing name and address, email address, last four of card and brand (full card numbers are handled by Stripe and never reach our systems), invoice and transaction history.
Data-processing agreement: https://stripe.com/legal/dpa

Internal subprocessing

Customer support, outbound product emails (onboarding, account notifications), and our application infrastructure run on toSend itself and on our self-hosted tools. No third party processes those communications on our behalf.

Questions

For a signed Data Processing Agreement, subprocessor audit reports, or questions about this page, write to support@tosend.com.