Subprocessors
Last updated: April 2026
WaiverDrop uses a small set of trusted third-party service providers to deliver the Service. This page lists those subprocessors, what they do, and where they process data. We update this page before engaging a new subprocessor.
Current subprocessors
| Subprocessor | Purpose | Processing location |
|---|---|---|
Hetzner Hetzner Online GmbH (Germany) | Application hosting, database, and encrypted backups. Also hosts our self-hosted analytics (GoatCounter) and error tracking (GlitchTip). | United States (Hetzner US data center) |
Cloudflare Cloudflare, Inc. (United States) | CDN, DDoS protection, WAF, DNS, TLS termination, bot mitigation, and R2 object storage for signature images, PDF waiver records, and optional signer photographs. | Global edge; US control plane |
Stripe Stripe, Inc. (United States) | Payment processing for subscription billing. Stripe handles full card data as a PCI DSS Level 1 service provider; WaiverDrop does not see or store card numbers. | United States |
Resend Resend, Inc. (United States) | Transactional email delivery (waiver confirmations, password resets, billing receipts). | United States |
Self-hosted tools (not subprocessors)
The following tools run on our own Hetzner infrastructure and do not transmit data to a third-party vendor. Because they are self-hosted, they are not separate subprocessors.
- GoatCounter — privacy-friendly product analytics. No tracking cookies, no fingerprinting, no personal data collected.
- GlitchTip — application error monitoring (Sentry-compatible). Error reports are stored on our infrastructure; we scrub personal data from stack traces where practicable.
Enterprise integrations
When an Enterprise customer enables SSO/SAML, the customer's own identity provider (for example, Okta, Google Workspace, or Microsoft Entra ID) is a third party selected by the customer and is not a subprocessor of WaiverDrop. The same applies to webhook endpoints and booking-platform integrations that a customer chooses to connect.
Changes to this list
We will update this page before engaging a new subprocessor. Customers subject to our Data Processing Agreement may subscribe to subprocessor notifications by emailing [email protected]. You may object to a new subprocessor on reasonable data-protection grounds within the notice window described in the DPA.
Questions
For privacy or subprocessor questions, email [email protected].