This list is maintained for transparency and as part of FyraSoft's GDPR Article 28 commitments; the binding sub-processor terms are those in the Data Processing Agreement (DPA). Current version, effective 5 June 2026 — updated as our sub-processors change.
Sub-processors
Version v1.0 · Effective date / last updated: 2026-06-05
FyraSoft engages the third-party sub-processors below to provide our public website and our B2B SaaS Platform and its modules (FyrAura, FyrAgents, FyrAero, FyrAction, FyrAcademy, fyradmin). FyraSoft acts as a processor for customer tenant data and end-user data processed through the modules, and as an independent controller for account, billing, usage, and website-enquiry data it collects.
We give at least 30 days' prior notice before adding or replacing a sub-processor that processes customer personal data, and a right to object on reasonable data-protection grounds, as set out in the DPA.
Where a sub-processor is located outside the EU/EEA or routes data outside the EU/EEA, an appropriate transfer safeguard is identified. "SCCs" means the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (Module Two, Controller-to-Processor, for transfers to processor sub-processors).
1. Public website
These sub-processors support fyrasoft.com (the marketing website), independently of the Platform.
| Sub-processor | Purpose | Data categories | Region | Transfer safeguard | Terms |
|---|---|---|---|---|---|
| Vercel (Vercel, Inc.) | Website hosting; the contact / lead-form and rate-limit database; cookieless website analytics | Page-view metrics, transient IP (analytics + rate limiting), contact/lead form content (name, email, company, message) | US | SCCs (EU 2021/914) | DPA · Privacy |
Outbound delivery of website contact-form emails is handled by Resend — the same transactional-email provider used by the Platform (see the Resend row in section 2 below). There is no separate website email provider.
Website cookies & analytics. The website itself sets only a functional
fyrasoft-localecookie (your UI language) and stores your theme and cookie choices in your browser's local storage. Vercel Analytics is cookieless and is loaded only after you grant consent. See the Cookie Notice for the full list.
2. Platform
These sub-processors support the authenticated FyraSoft Platform and its modules.
Legend — Status: Current = in production use; Current (restricted) = in use under a stated data-scope restriction; Planned = engaged later or only when a specific feature is activated.
| Sub-processor | Purpose | Module(s) | Data categories | Region | Transfer safeguard | Terms | Status |
|---|---|---|---|---|---|---|---|
| OpenRouter (OpenRouter, Inc.) | LLM request routing / inference gateway | All AI modules (incl. FyrAgents, FyrAura) | Prompt content and model outputs (may include personal data) | US-routable / global | SCCs (EU 2021/914), Module Two | Terms · Privacy · Trust Center | Current |
| Google (Gemini API) (Google Ireland Ltd / Google LLC) | Text embeddings | Retrieval / embeddings modules (FyrAgents, FyrAero) | Text submitted for embedding (may include personal data) | US / global | SCCs (EU 2021/914), Module Two | Cloud DPA · Gemini API Terms | Current |
| Paddle (Paddle.com Market Limited) | Payments / Merchant of Record (checkout, VAT/sales-tax, refunds) — Paddle is seller of record, not FyraSoft | Platform billing | Billing & transaction data, name, email, billing address, tax IDs, payment metadata | UK / EU | UK adequacy + SCCs / UK IDTA (Paddle is MoR / separate controller for payment & tax data) | Buyer Terms · Privacy · GDPR/DPA | Current |
| Resend (Plus Five Five, Inc.) | Transactional email delivery (platform and the public website contact form) | Platform-wide + website contact-form email | Recipient email, sender name/email, email content / metadata | US | SCCs (EU 2021/914), Module Two + EU-US DPF | DPA · Sub-processors | Current |
| Cloudflare R2 (Cloudflare, Inc.) | Object storage | Platform-wide | Stored files / objects (may include personal data) | EU jurisdiction available | SCCs (EU 2021/914) + EU-jurisdiction R2 config | Customer DPA · R2 data localization | Current |
| Hostinger (Hostinger International Ltd) | Platform / tenant hosting (compute, infrastructure) | Platform-wide | All customer tenant data on EU infrastructure | EU | EU-region hosting; SCCs/UK IDTA where applicable | DPA | Current |
| Sentry (EU region) (Functional Software, Inc.) | Error monitoring / diagnostics | Platform-wide | Error events, stack traces, technical metadata (may incidentally contain personal data) | EU | EU-region | DPA · Sub-processors | Current |
| Plausible | Platform usage analytics — Plausible Cloud (EU); cookieless (no cookies, no persistent identifiers, no IP storage) | Platform | Aggregate, cookieless usage events | EU (Plausible Cloud, Germany / Hetzner) | EU-region (Plausible Cloud EU) | Data Policy · DPA | Current |
| PostHog (EU) (PostHog, Inc.) | Product analytics | Platform-wide | Product usage events, device/technical metadata, pseudonymous identifiers | EU (PostHog Cloud EU) | EU-region | DPA · Sub-processors | Optional / deferred |
| Better Stack | Uptime / availability monitoring | Platform-wide (infrastructure) | Service health metadata, contact/alert details (minimal personal data) | EU (default EU-region) | EU-region; SCCs where applicable | DPA · Security | Current |
| E2B (FoundryLabs, Inc.) | Code-execution sandbox (compute) | Modules running code/data analysis (FyrAction, etc.) | NON-PII compute only — restricted to non-personal data until an EU region and a signed Art. 28 DPA exist | US | SCCs (EU 2021/914) (restricted to non-PII; no PII transferred pending EU region + signed DPA) | Privacy · Terms · Trust Center | Current (restricted) |
| ElevenLabs (ElevenLabs, Inc.) | AI voice synthesis | FyrAura (AI voice) | Voice/audio content, text-to-speech input (may include personal data) | US (EU data-residency option) | SCCs (EU 2021/914) + EU-US DPF | DPA · Privacy | Planned (at voice activation) |
| Telnyx (Telnyx LLC) | Voice / telephony connectivity | FyrAura (AI voice) | Call metadata, telephone numbers, audio (may include personal data) | US / global (EU presence) | SCCs (EU 2021/914) per Telnyx DPA | Data & Privacy · Privacy | Planned (at voice activation) |
| Hetzner (Hetzner Online GmbH) | EU dedicated hosting (sovereignty tier) | Platform-wide (sovereignty-tier customers) | Customer tenant data for sovereignty-tier customers | EU (Germany) | EU-region | DPA (PDF) · TOMs (PDF) | Planned (sovereignty tier) |
Note on Paddle as Merchant of Record (MoR). For all paid signups and credit purchases, Paddle.com Market Limited (England and Wales, company number 8172165, registered office Judd House, 18-29 Mora Street, London EC1V 8BT) is the Merchant of Record / authorised reseller of record — FyraSoft is not. Paddle runs the checkout, calculates and remits VAT/sales tax, and processes refunds under Paddle's own policies. For that payment, tax, and refund data Paddle acts as a separate/independent controller (and as a sub-processor only to the limited extent it processes customer personal data on FyraSoft's behalf). Refunds are governed by Paddle's Refund Policy.
Note on EU data residency. Customer tenant data is processed on EU infrastructure (Hostinger EU now; dedicated Hetzner-DE for sovereignty-tier customers later). Data that contains personal data is not sent to a non-EU compute sandbox (e.g., E2B) unless and until an EU region and a signed Art. 28 DPA are in place. Some modules have hidden technical dependencies on other modules (e.g., FyrAura depends on FyrAgents) that are provisioned automatically; any sub-processor used by such a dependency is covered by this list.
How customers are notified of new sub-processors
- FyraSoft maintains this public, up-to-date sub-processor page.
- We provide at least 30 days' prior notice before adding or replacing a sub-processor that processes customer personal data, by email to the account's designated contact and/or by updating this page.
- During the notice period, a customer may object on reasonable, data-protection-related grounds. If the objection cannot be resolved, the customer's remedy is to terminate the affected module/subscription, per the DPA. (Payment/refund consequences are handled by Paddle under its MoR/refund policy.)
The binding terms, including the full DPA outline and SCC scope, are set out in the FyraSoft Data Processing Addendum.