Subprocessor list

Last updated: 2026-05-24

This list is maintained per Article 28 of the GDPR and equivalent provisions in other privacy regimes. It names every third party that may process Qcrawl customer data, what they process, and on what legal basis.

Stripe Payments Europe Ltd

Engaged since 2026-02

Purpose: Payment processing, subscription billing, invoicing.
Data processed: Customer name, email, billing address, payment-method token. Qcrawl never sees raw card numbers.
Location: Ireland; US sub-processors per Stripe's own DPA.
Transfer basis: EU Standard Contractual Clauses; Stripe DPA available on request.

Cloudflare, Inc.

Engaged since 2025-09

Purpose: DNS, CDN, edge caching, WAF, tunnel between the origin and the public API.
Data processed: IP address and HTTP request headers of every API call, transiently. No request bodies are stored by Cloudflare.
Location: Global edge; account headquartered in the United States.
Transfer basis: EU Standard Contractual Clauses; Cloudflare DPA available on request.

Cloudflare Pages

Engaged since 2025-09

Purpose: Hosting for the marketing site (qcrawl.com) and the customer dashboard (app.qcrawl.com).
Data processed: Public marketing pages and the dashboard's static assets. No customer secrets are deployed to Pages.
Location: Global edge; account headquartered in the United States.
Transfer basis: Same as Cloudflare above; covered by the same DPA.

Amazon Web Services EMEA SARL — Simple Email Service

Engaged since 2026-01

Purpose: Outbound transactional email (verification, password reset, billing receipts, security notices).
Data processed: Recipient email, the email body. Qcrawl uses generic templates with no third-party content.
Location: Frankfurt (eu-central-1).
Transfer basis: Processed within the EU; no transfer outside the EEA.

GlitchTip (self-hosted)

Engaged since 2026-04

Purpose: Error and exception tracking for the API and dashboard.
Data processed: Stack traces, request paths, sanitised user IDs. No request bodies, no API keys, no passwords.
Location: Same infrastructure as the rest of Qcrawl; not a third-party SaaS.
Transfer basis: Not applicable — self-hosted on Qcrawl infrastructure.

Change notifications

When Qcrawl adds, removes, or materially changes the scope of a subprocessor, we update this page and the change appears in the changelog with the date and the scope of the change. Customers with executed Data Processing Agreements receive an email notice at least 30 days before a new subprocessor begins processing their data, per Article 28(2) GDPR. To object to a new subprocessor during the notice window, reply to that notice or email [email protected]; we will work with you to find a path forward that does not require routing your traffic through the disputed party, up to and including offering you a contract termination with a pro-rated refund.

Data Processing Agreement

A signed DPA is available on request for any paid plan. Email [email protected] with your company details and we will return a signed copy within two business days.

Data residency for enterprise

The list above reflects the default deployment. Enterprise customers with regional-residency requirements can ask for a custom deployment that constrains processing to a specific jurisdiction. Talk to us at [email protected].

What is not on this list

Services that do not process customer data are intentionally excluded. That includes our internal source-code hosting, our internal monitoring of build pipelines, and any tools that operate only on Qcrawl staff information. They are listed in our internal compliance documentation and are available under NDA.