Data Processors

To support the delivery of our services, Appfarm AS may engage and use data processors with access to certain customer data (each, a "data processor"). This page provides vital information about each processor's identity, location, and role. Terms used on this page but not defined have the meaning outlined in the Software Service Agreement or superseding written agreements between the Customer and Appfarm.

Third-party data processors for the Appfarm Platform (the "Service") processing customer personal data

Appfarm and its affiliates engage the following third-party entities to assist in connection with the Service as specified below:

Entity Name
Service
Service location
Task performed
Type of data stored
Storage period
Type
Country of registration
Registered address
GDPR compliance

Report-URI Ltd.

Report URI

Norway*

Automated Content Security Policy anomaly reporting for platform users (Platform Security)

IP address, URL of Appfarm solution, Browser information (User Agent string)

Deleted after 30 days

Integrated

England and Wales

22 Shireburn Avenue

Clitheroe, Lancashire

United Kingdom, BB7 2PN

View

Functional Software, Inc.

Sentry

USA *****

Automated error reporting for platform users

IP address, browser information (User Agent string), internal Appfarm identifier and crash logs. End-users

Deleted after 90 days

Integrated

USA

132 Hawthorne Street

San Francisco, CA 94107

View

Mailgun Technologies, Inc.

Email

EU/EEA

Email services

Email address and other data used in email body

Deleted after 30 days

Integrated

USA

548 Market Street, Suite 43099

San Francisco, CA 94101

View

OnlineCity ApS

GatewayAPI

EU/EEA

SMS Services

Phone number, internal Appfarm identifier

​Deleted after 30 days

Optional

Denmark

Buchwaldsgade 50,

5000 Odense C

View

MongoDB Limited

MongoDB Cloud

Belgium

Database services

Given name, surname, email address, company name, all data stored through Appfarm Create and the applications created on the platform

**

Integrated

Ireland

3 Shelbourne Building, 3rd floor

Crampton Avenue

Ballsbridge

Dublin 4

View

Amazon Web Services EMEA SARL

Amazon Web Services

Sweden

Cloud infrastructure for servers and databases. Email.

IP-address and email address

**

Integrated

Luxembourg

38 avenue John F. Kennedy

L-1855 Luxembourg, R.C.S. Luxemburg: B186284

View

Google Cloud EMEA Limited

Google Cloud Platform

Belgium

Cloud infrastructure for servers and databases

IP-address and email address

**

Integrated

Ireland

Gordon House

Barrow Street

Dublin 4

View

Gemini

EU/EEA

AI model for Appfarm Create

None

N/A

Optional

Vertex AI

Global ******

Hosting services for AI models

Prompt history and AI usage metrics

N/A

Optional

Twilio Ireland Limited

Twilio Sendgrid

USA *****

Email handling and email address validation

Email address and other data used in email body

​***

Integrated

Ireland

3 Dublin Landings

North Wall Quay

Dublin 1

View

Heap, Inc.

Heap

USA *****

Product usage analytics

Pageviews, user interactions, timing, IP address, browser details

****

Integrated

USA

225 Bush St. 2nd floor

San Francisco, CA 94104

View

Docspring, Inc.

Docspring

EU/EEA

PDF-generator API Service

Appfarm client specific PDF-data

Up to 7 days

Optional

USA

2035 Sunset Lake Road, Suite B-2

Newark, Delaware 19702

View

OpenAI Inc.

OpenAI API

EU/EEA

AI model for Appfarm Create

None

N/A

Optional

USA

1455 3rd Street, San Francisco, CA 94158

View

Anthropic, PBC

Claude Sonnet

Global ******

AI model for Appfarm Create

None

N/A

Optional

USA

548 Market Street, PMB 90375, San Francisco, CA 94104

View

* Data is sent to the service location (Cloudflare edge node) closest to the user. For users in Norway, this is Oslo; in other countries, it is most likely the country of origin.

** Customer data is continuously stored (and backed up) as long as the customer has an active Appfarm subscription. Customer data is stored up to 1 year after a subscription is canceled (if not otherwise instructed by the customer) to facilitate the customer's data transfer procedures.

*** Most data is deleted automatically according to Twilio's retention schedule within a maximum of 37 days. Twilio does retain some email event data in pseudonymized form (not including the message body content) for up to a year for security, fraud detection, anti-abuse, and network protection purposes.

**** Data is stored in accordance with Appfarm’s privacy policy at https://www.appfarm.io/privacy.

***** Company is part of the Data Privacy Framework or has adequate safeguards for data transfer such as SCC.

****** Uses Google's currently most available Vertex AI endpoint, which can be either Belgium Europe, Ohio in the USA, or Singapore in Asia.

Updates

As our business grows and evolves, the data processors we engage may also change. We will endeavor to provide the owner of the Customer's account with notice of any new data processors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.

2025-10-08: Additional data processors

As of today, Appfarm has added new data processors to its list. The new processors are:

  • OpenAI, Inc.: providing the AI model OpenAI API.

  • Anthropic, PBC: providing the AI model Claude Sonnet.

In addition to these two, Appfarm has also added two new services provided by an existing processor:

  • Vertex AI: AI model hosting service provided by Google Cloud EMEA Limited

  • Gemini: AI model provided by Google Cloud EMEA Limited

These are all services involved in our newly launched AI services for Appfarm Create, and are strictly optional.

The AI models mentioned above process data through AI prompts, but do not store data through these services. The data is handled and stored as regular user data in Appfarm Create, and follows the rules and is set up as other user data regarding the Service.

Vertex AI is used to host language models in a Google Cloud Environment, powering AI models, such as Claude Sonnet. Appfarm is currently running Vertex AI with multi-region to ensure the best possible availability of the AI services. Our team is working closely with Google to offer Vertex AI on EU/EEA only servers.

2025-06-12: Updates to our data processors

Appfarm has, as of today, updated its data processor list based on recommendations from an independent third-party privacy assessment from legal counsel and requests from customers. The objective is to improve clarity, relevance, and transparency for customers and users:

  • We’ve moved data processors not directly tied to the Service (the Appfarm Platform) to our Privacy Policy as they are not related to Appfarm's role as a data processor to our customers.

  • We’ve introduced a new category, "Type", in the list of data processors to indicate whether the relevant service is integrated with the Service or optional. Optional services are available as a voluntary opt-in by Appfarm Create users. GatewayAPI and Docspring have been marked as optional.

  • We've reorganized asterisk markers to improve readability and logic.

  • We've removed outdated columns (including Schrems II article links and signed DPA links) due to low relevance and high maintenance overhead.

We continue to prioritize data protection, transparency, and customer control.

2025-06-12: Addition of new data processor

Appfarm has, as of today, added a new data processor to the list:

  • Docspring, Inc: an optional service used for API-based generation of PDF documents

2023-11-13: Additional data processors

Appfarm has, as of today, added new data processors to the list. The new processors are:

  • Twilio, Inc.: an email handling and email address validation system, connected to the Service. Twilio is a participant in the Data Privacy Framework (DPF),

  • Zendesk, Inc.: a customer support system,

  • Hotjar Ltd.: an analytics tool used on Appfarm's website.

The following companies listed as data processors have, since the last update, become participants of the DPF:

  • Notion Labs, Inc.

2023-09-07: Update on the Data Privacy Framework

The EU–US Data Privacy Framework is a transatlantic data transfer framework between the United States and the European Union. The European Commission adopted its adequacy decision for the framework on July 10, 2023. The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the EU to companies participating in the EU-U.S. Data Privacy Framework. With the adoption of the adequacy decision, European entities are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. Although Appfarm has put in place necessary safeguards (e.g., standard contractual clauses) with all US-based data processors outlined above, this decision will apply to all US-based data processors participating in the framework as the US is now considered a secure third country under GDPR.

The following companies listed as data processors in a third country currently not listed in the Data Privacy Framework are:

  • Mailgun Technologies, Inc.

  • Notion Labs, Inc.

  • Docspring, Inc.

  • Civilized Discourse Construction Kit, Inc.

  • EdInvent, Inc.

Appfarm has engaged in dialog with the companies in question regarding their timeline to get registered on the list of the Data Privacy Framework.

2023-01-02: Removal of Atlassian, Inc. as data processors

Appfarm has discontinued use of Atlassian Inc. and their service Trello.

2022-12-13: Addition of new data processors

Appfarm has added new data processors in order to provide our existing and prospective customers, users, and partners with an improved and more comprehensive product offering:

  • Notion Labs, Inc. (with its service Notion): Internal communication tool, process management, and project management system.

  • Contractbook ApS (with its service Contractbook): Contract management platform

  • Webflow, Inc. (with its service Webflow): Website services

  • Civilized Discourse Construction Kit, Inc. (with its service Discourse): Community and forum platform used to organize engagement and processes

  • Docspring, Inc. (with its service Docspring): PDF template management and API service

  • Teamtailor AB (with its service Teamtailor): Applicant tracking system

None of these new data processors are directly connected to the Service but offer services Appfarm uses for auxiliary business activities, of which some customer data may be processed.

2022-11-29: Freshworks, Inc. has been removed as a data processor

Appfarm has, as of today, discontinued Freshworks, Inc. and its service Freshworks as a data processor.

2022-04-25: Added EdInvent, Inc. and Mettl Technologies, Inc. as new processors

Appfarm has, as of today, added EdInvent, Inc. and Mettl Technologies, Inc. as new data processors. Both vendors are used in relation to our certification program and are not connected to the Service.

2022-04-20: Added Hubspot as a data processor

Appfarm has, as of today, added HubSpot, Inc. as a new data processor. Hubspot is used as a customer relationship management (CRM) system and is not connected to the Service. HubSpot offers regional data hosting, and all data is located in HubSpot’s product infrastructure hosted on Amazon Web Services (AWS) in Germany.

2021-08-17: Added AWS as a data processor

Appfarm has, as of today, added Amazon Web Services (AWS) as a new data processor for the Service processing Customer personal data. The current use of AWS in the Service will be restricted to the use of the Amazon Simple Email Service (SES). Other AWS services may be used at a later time.

The reason for the change is that several Appfarm customers have, at times, experienced poor delivery times with the internal Appfarm email service, which, among others, is used for the delivery of PIN codes for user authentication purposes. The Appfarm engineering team has concluded that the current vendor and data processor (Mailgun Technologies) should be replaced with a more reliable service to secure the highest service quality of the Service.

All Appfarm customers have been notified of the change. In line with the Appfarm Data Processing Agreement (section 7.2), the new data processor will not take effect and become active in use in the Service until 30 days (September 17th, 2021) if not otherwise instructed by Appfarm customers.

2021-01-29: International Data Transfers

Although, in the light of European Court of Justice decision C-311/18 (Schrems-II), in which Privacy Shield as grounds for data transfers to third countries was invalidated, Appfarm is still ensuring that its third-party data processors are compliant with the GDPR framework, either by implementing Standard Contractual Clauses ensuring the same level of protection for its users or similar grounds accepted by the EDPB. This includes but is not limited to, already existing service providers and service providers in the future.

Last updated