Every third party that processes customer data, what they do, and when we last checked their security documentation.
| Sub-processor | Purpose | Data involved | Location | Security docs | Last verified |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Hosting and backup storage. | All customer data (databases, backups, files). | Germany (Nuremberg, Falkenstein). | Compliance | 2026-04-21 |
| Anthropic PBC | Claude Sonnet for the AI chat assistant and the photo-to-ingredient feature. | Recipe and ingredient content sent transiently during a request. Zero-retention terms. Not used to train any model. | United States. EU Standard Contractual Clauses (SCCs) in place. | Trust Center | 2026-04-21 |
| OpenAI, L.L.C. | Embedding API for ingredient search. | Ingredient names and short descriptions, sent transiently. Not used to train any model. | United States. EU SCCs in place. | Enterprise Privacy | 2026-04-21 |
| Stripe, Inc. | Subscription billing and payment processing. | Billing contact name, billing address, payment card token. No recipe or ingredient data. | United States. EU SCCs in place. | Security at Stripe | 2026-04-21 |
We update this list whenever we add, change, or remove a processor of customer data. Changes are notified by email to the billing contact on each account. Each row's “last verified” date reflects the most recent time we checked the entry against the sub-processor's own current documentation.
Questions about this list? Email security@nibblr.co.uk.