Security Document
Sub-processor List
The third-party services that process data on our behalf to deliver Simple Commenter, where they operate, and what they handle.
Ander Digital OÜ Document Version: 1.0 Effective Date: March 5, 2026 Last Reviewed: March 5, 2026 Owner: Aleksander Kaaberma, CEO / Information Security Officer
1. Purpose
This document lists all third-party service providers (sub-processors) used by Ander Digital OÜ in the delivery of the Simple Commenter SaaS platform. It includes details on the data each provider processes, their geographic location, and their security certifications.
2. Sub-Processors with Data Access
| Provider | Purpose | Data Processed | Location | Certifications | DPA |
|---|---|---|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Database hosting | User accounts, domains, comments, configuration, email logs | EU region | SOC 2 Type II, ISO 27001, HIPAA, GDPR | Yes |
| Hetzner Online GmbH | Object storage (S3-compatible) | Uploaded files, screenshots, attachments | EU (Germany) | ISO 27001, GDPR | Yes |
| Vercel Inc. | Application hosting, CDN, serverless functions | Application code, API request/response data, function logs | Global CDN, EU data processing | SOC 2 Type II, GDPR | Yes |
| Upstash Inc. | Redis cache | Comment cache data, rate limiting counters, session tokens | EU region | SOC 2 Type II, GDPR | Yes |
| Stripe Inc. | Payment processing | Customer IDs, subscription status, payment metadata (no card data stored by us) | US/EU | PCI DSS Level 1, SOC 2 Type II, ISO 27001, GDPR | Yes |
| Twilio SendGrid | Email delivery | Recipient email addresses, email content (notifications, magic links) | US | SOC 2 Type II, ISO 27001, GDPR | Yes |
| GitHub Inc. | Source code hosting, CI/CD | Source code, deployment triggers | US | SOC 2 Type II, ISO 27001, GDPR | Yes |
| Better Stack Inc. | Log management and monitoring | Application logs, API request logs, serverless function logs | EU (Nuremberg, Germany) | SOC 2 Type II, GDPR | Yes |
3. Third-Party Integrations (Customer-Initiated)
These integrations are optionally configured by customers and process data only when enabled:
| Provider | Purpose | Data Shared (when enabled) | Location | Notes |
|---|---|---|---|---|
| Slack Technologies (Salesforce) | Comment notifications | Comment text, user name, status, priority, screenshot URLs | US | OAuth-based; customer configures channel |
| Trello (Atlassian) | Task tracking sync | Comment text, attachments, status, replies | US/AU | Two-way sync; customer provides API token |
| Custom Webhooks | Outbound notifications | Comment data, status updates, replies | Customer-defined | Customer configures endpoint and auth |
4. Domain Registrar and DNS
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Domain registrar | DNS hosting | DNS records only (no customer data) | Varies |
5. Review Process
- This list is reviewed quarterly and updated when providers change.
- New sub-processors are evaluated for security certifications and GDPR compliance before onboarding.
- Customers are notified of material changes to this list.
- DPAs are verified and renewed as needed.
6. Data Flow Summary
User Browser
|
| (HTTPS/TLS 1.2+)
v
Vercel (Application Hosting, EU CDN)
|
|---> MongoDB Atlas (EU) -- User data, comments, config
|---> Hetzner S3 (EU) -- File uploads, screenshots, attachments
|---> Upstash Redis (EU) -- Cache, rate limits
|---> SendGrid (US) -- Email notifications
|---> Stripe (US/EU) -- Payment processing
|---> Better Stack (EU) -- Log management
|
|---> [Optional, customer-initiated]
|---> Slack -- Comment notifications
|---> Trello -- Task sync
|---> Webhooks -- Custom endpoints
Approval: Aleksander Kaaberma, CEO / Information Security Officer Date: March 5, 2026