subforge — Sub-processors
Last updated: 16 June 2026
We use a small number of third-party providers ("sub-processors") to help us run subforge. Each processes personal data only as needed to provide their service to us, under contract, and is not permitted to use it for their own purposes.
| Sub-processor | Purpose | Data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Scaleway (Scaleway SAS) | Sending transactional email (password resets, invites, account/service notices). Notification emails only — never repository content. | Recipient email address, email content | France (EU) | None — processed within the EU/EEA (UK adequacy regulations); no international transfer |
| Self-hosted (Hidef Software Limited) | Hosting the application, database, stored repositories, and CI build artifacts | All data stored by the Service | United Kingdom | UK (no transfer) |
Notes / to confirm
- Scaleway Transactional Email is our only third-party SaaS in the
application code. subforge connects to it over SMTP (
internal/mail/smtp.go). It processes data within the EU (France) and is used only for notification emails (e.g. password resets and invites) — it never receives repository content. As an EU processor there is no UK→US transfer; UK adequacy regulations cover EEA processing. Scaleway's GDPR DPA (DPA 2024) forms part of their general terms (accepted at signup — nothing separate to sign): https://www-uploads.scaleway.com/DPA_2024_ENG_b0abb5cc26.pdf and its sub-processor list at https://www.scaleway.com/en/subprocessorlist/ - Hosting & object storage. All infrastructure is self-hosted by Hidef Software Limited in the United Kingdom — the application, PostgreSQL database, repository storage, and the S3-compatible object storage used for CI artifacts. There is no third-party cloud hosting provider, so there is no international transfer for hosting. Update this entry if any of it moves to a cloud provider.
- We do not use any third-party analytics, advertising, or tracking sub-processors.
Changes
We will keep this page current. Under the DPA, customers may subscribe to be notified of new sub-processors and to object on reasonable data-protection grounds.