subprocessors
last updated 2026-05-10 · phase 0 private alpha
This page lists every third-party service that processes briven Customer data on behalf of flndrn Limited(the Operator), a company registered at Arch. Makariou III 171, Vanezis Business Center 4th floor, 3027 Limassol, Cyprus. Where a subprocessor is “planned”, the integration exists in code but is disabled until the corresponding configuration is provided; we list them here so you can audit what your account will be exposed to as features turn on.
Each subprocessor is engaged under a data-processing agreement that limits them to the purpose stated below. Transfers outside the EU rely on Standard Contractual Clauses with appropriate supplementary measures (TLS in transit, AES-256 at rest, minimisation of what we send to each processor).
| subprocessor | purpose | location | status |
|---|---|---|---|
| Hostinger International Ltd. | VPS hosting (compute, bandwidth, host disk for control + data plane)Customer Postgres, runtime isolates, backups, and the dashboard all run on a Hostinger KVM in Frankfurt. | Lithuania (HQ); Frankfurt, Germany (data centre) | active |
| Let's Encrypt (Internet Security Research Group) | Issuance of TLS certificates for briven.tech and its subdomainsNo personal data is shared beyond the public domain name being certified. Renewals are automatic via ACME. | United States (CA-domiciled) | active |
| mittera.eu | Transactional email delivery (magic-link sign-in, email verification, project invitations, account notices)Sister product to briven, also operated by the briven Operator. Outbound sends authenticate with a Bearer API key (POST https://api.mittera.eu/api/v1/emails); delivery / bounce / complaint events come back to https://api.briven.tech/mittera-webhook signed with HMAC-SHA256 of `${ts_ms}.${body}` and verified against BRIVEN_MITTERA_WEBHOOK_SECRET. Until BRIVEN_MITTERA_API_URL and BRIVEN_MITTERA_API_KEY are configured, magic-link emails print to the api container stdout for first-user bootstrap. | EU (operator-controlled) | planned |
| Polar Software Inc. | Subscription billing, checkout, invoicing, taxationActivated when paid tiers launch. Polar handles all card data; no card details ever touch briven infrastructure. | United States; EU-resident processors via Stripe Connect | planned |
| Backblaze, Inc. (B2 Cloud Storage) | Off-site encrypted backup storage for nightly Postgres dumpsEncryption keys remain on briven infrastructure; B2 receives only ciphertext. EU mirror selected when activated. | United States; EU mirror available | planned |
| Konnos (Gitea instance at code.konnos.org) | Source code hosting; CI artifact storageNo customer data flows to konnos. Public source only. Listed for transparency about where the briven codebase lives. | EU (operator-controlled) | active |
| Google Cloud (Google LLC) | OAuth identity (Sign in with Google)Engaged only if you choose to sign in via Google. We receive your name, email, and avatar URL; we send Google nothing about your briven activity. | United States; EU points of presence | planned |
change-notification policy
We will publish material changes to this list at least 30 days before a new subprocessor starts processing customer data. “Material” means: adding a subprocessor, replacing one with a substantively different service, or expanding the scope of an existing subprocessor’s access to a category of data not previously covered. Notifications appear on briven.tech/changelog and are emailed to account owners.
If a subprocessor change is unacceptable for your use case, you may close your account and export your data without penalty within 30 days of the notice.
questions
Contact privacy@flndrn.com for any subprocessor-related question, including requests for the underlying data-processing agreements where they are not publicly available.