Subprocessors
Who we trust with your data.
Last updated: April 2026
WaiverDrop uses a small set of trusted third-party service providers to deliver the Service. This page lists those subprocessors, what they do, and where they process data. We update this page before engaging a new subprocessor.
Active
Current subprocessors
| Subprocessor | Purpose | Processing location |
|---|---|---|
Hetzner Hetzner Online GmbH (Germany) | Application hosting, database, and encrypted backups. Also hosts our self-hosted analytics (GoatCounter) and error tracking (GlitchTip). | United States (Hetzner US data center) |
Cloudflare Cloudflare, Inc. (United States) | CDN, DDoS protection, WAF, DNS, TLS termination, bot mitigation, and R2 object storage for signature images, PDF waiver records, and optional signer photographs. | Global edge; US control plane |
Stripe Stripe, Inc. (United States) | Payment processing for subscription billing. Stripe handles full card data as a PCI DSS Level 1 service provider; WaiverDrop does not see or store card numbers. | United States |
Resend Resend, Inc. (United States) | Transactional email delivery (waiver confirmations, password resets, billing receipts). | United States |
Self-hosted tools
GoatCounter (privacy-friendly product analytics, no cookies, no fingerprinting) and GlitchTip (Sentry-compatible error monitoring) run on our own Hetzner infrastructure. They are not subprocessors because no data is transmitted to a third-party vendor.
Enterprise integrations
When an Enterprise customer enables SSO/SAML, the customer's own identity provider (Okta, Google Workspace, Microsoft Entra ID) is a third party selected by the customer and is not a subprocessor of WaiverDrop. Same for webhook endpoints and booking-platform integrations.
Updates
Changes to this list
We will update this page before engaging a new subprocessor. Customers subject to our Data Processing Agreement may subscribe to subprocessor notifications by emailing [email protected]. You may object to a new subprocessor on reasonable data-protection grounds within the notice window described in the DPA.
For privacy or subprocessor questions, email [email protected].