Legal
Sub-processors
The third parties Greenslope engages to deliver the service. Split between those that touch customer telemetry and those that only touch account data. We commit not to add sub-processors silently.
- Last updated
- 22 April 2026
- Version
- v1.0
- Questions
- legal@greenslope.io
How we manage this list
- Every entry names a real vendor, a real purpose, and a real region.
- We announce additions to customers via email to account owners and an in-app banner before they take effect. A formal 30-day advance-notice mechanism with a right of objection is on the V2+ roadmap.
- Each sub-processor is contractually bound to data-protection obligations materially equivalent to those in our DPA.
- For onward transfers outside the EEA / UK we rely on adequacy decisions, Standard Contractual Clauses, or the UK IDTA.
Sub-processors that touch customer telemetry
| Vendor | Purpose | Region | Transfer basis |
|---|---|---|---|
| Google Cloud Platform | Compute (Cloud Run), ingestion and queuing (Pub/Sub), object storage (GCS), key management (Cloud KMS). All in europe-west1 (Belgium). | EU — europe-west1 | Within EU — no SCCs required. |
| Neon | Managed Postgres for the telemetry database (hot spans, aggregates) and the control-plane database (accounts, tenants, integrations). | EU | Within EU — no SCCs required. |
| Vercel | Marketing site, docs site, and in-product frontend hosting. No customer telemetry is processed in Vercel infrastructure. | EU edge | Within EU — no SCCs required. |
| Cloudflare | WAF, DNS, and edge routing for greenslope.io. | Global edge | UK IDTA / SCCs for any onward processing outside EU/UK. |
| Slack (Salesforce) | Outbound alert delivery to customer-owned Slack workspaces via the Greenslope Slack App. Greenslope stores bot tokens for the integration. | US | UK IDTA + SCCs; Slack is GDPR-compliant. |
| GitHub | GitHub App for release ingestion (tag / release webhook payloads). No code is read. | US | UK IDTA + SCCs. |
| Twilio | SMS and voice alert delivery to on-call recipients. | US with EU sub-region | UK IDTA + SCCs. |
| Gemini on Vertex AI (Google Cloud) | LLM inference for Auto-SRE triage summaries and postmortem drafts. EU regional endpoint. Customer data is not used for model training. | EU — europe-west4 | Within EU — no SCCs required. |
Sub-processors that touch account or operational data
These vendors process account, billing, support, or analytics data — not ingested customer telemetry.
| Vendor | Purpose | Region | Transfer basis |
|---|---|---|---|
| Paddle | Merchant of Record: payment processing, invoicing, tax, chargebacks, refunds. We don't hold card numbers. | UK / EU / US | Your separate contractual relationship with Paddle governs card data. |
| Google Workspace | Internal email, including the support@ and enterprise-support@ shared mailboxes and internal productivity. | EU | Within EU — no SCCs required. |
| PostHog Cloud EU | Product analytics for the in-product experience. Gated behind consent where required. | EU | Within EU — no SCCs required. |
| Plausible Analytics | Cookieless marketing-site analytics (page views, referrers). No personal-data cookies. | EU (Estonia) | Within EU — no SCCs required. |
| Sentry (EU region) | Error tracking for the marketing site and in-product frontend. Scrubbed of query params and obvious PII via configuration. | EU | Within EU — no SCCs required. |
| Email delivery provider | Transactional email (password resets, alert emails to account owners, invoices forwarded from Paddle). Specific vendor recorded on this page when selected. | EU | Within EU — no SCCs required. |
Subscribing to changes
Email legal@greenslope.io asking to be notified when this list changes; we’ll add you to the alert list. A self-serve subscription UI is V2+.
Historical changes
First publication: 22 April 2026. This section will list additions and removals as they occur.