Sub-processors
On this page
Effective Date: 2026-05-14 — Version: 1.9
This page is the canonical, deep-linkable register of every sub-processor fremverk engages to deliver the Service. It is committed to in DPA §10 and DPA Annex B, and procurement teams may reference this URL directly in vendor due-diligence documentation.
Change-notification commitment #
Any addition, replacement, or material change to the sub-processor list is announced 30 days in advance via two parallel channels per DPA §10.2: (a) a direct email to each Customer’s org billing contact-of-record (the contractual carrier — delivery is recorded in fremverk’s audit log with per-recipient email-provider message ids), AND (b) a public posting to this page and the security-notices mailing list (provided for convenience to non-billing addresses such as security teams and compliance leads). Customers who object to a new sub-processor on documented data-protection grounds may exercise the termination right at DPA §10.2 with pro-rata refund of any prepaid unused Fees.
For emergency onboarding (e.g., immediate replacement of a sub-processor that is itself the source of a security incident), fremverk publishes within 24 hours of the change and extends the objection window to 30 days post-onboarding. See DPA §10.3.
Subscribe to change notifications: subscribe to the security-notices mailing list — replies and out-of-band questions land at security-notices@frem.sh (alias forwards to compliance@frem.sh).
Current sub-processors #
| Sub-processor | Purpose | Location | Certifications | DPA / SCCs |
|---|---|---|---|---|
| Deutsche Telekom AG (T Cloud) | Core compute, storage, network — every customer-facing surface | Biere & Magdeburg, DE | ISO 27001, ISO 27017, ISO 27018, BSI C5 Type 2, TISAX | T Cloud DPA — EU controller, no US parent |
| Bunny CDN d.o.o. | Edge delivery, WAF, DDoS protection for frem.sh and customer-served static assets | EU PoPs (HQ Slovenia) | ISO 27001 (2025), SOC 2 Type II (2023) | Bunny DPA — EU controller, no US parent |
| Lettermint B.V. | Outbound transactional email (verification, dunning, security notices) | Zwolle, NL — upstream OVHcloud SAS (FR) + UpCloud Ltd (Amsterdam NL datacenter, Finland-incorporated) | Vendor certifications pending evidence (NL — no US parent) | Lettermint DPA — EU controller, no US parent |
| Mollie B.V. | Payment processing (mandate creation, recurring charges, refunds) | Amsterdam, NL | PCI-DSS Level 1 | Mollie DPA — EU controller, no US parent |
| Heinlein Hosting GmbH (mailbox.org) | Shared-mailbox hosting (support@, abuse@, security@, compliance@, hello@, ops@, enterprise@, info@fremverk.com) | Berlin, Germany | ISO 27001, BSI C5, BSI IT-Sicherheitskennzeichen (TR 03108) | Heinlein Hosting DPA — EU controller, no US parent |
| Visma Dinero ApS | Issuance and 5-year statutory retention of invoice bilag under Bogføringsloven §10 — receives org legal name, billing-contact email, VAT number, invoice line items, Mollie payment-id reference. No repository content, no audit-log content, no PAN. | Copenhagen, DK | ISO 27001 (DK-issued, no US parent) | Visma Dinero DPA — EU controller, no US parent |
Disclosed for transparency — not Article-28 sub-processors #
The following counterparties touch the platform but do not process Customer Personal Data on fremverk’s behalf and are therefore not sub-processors under GDPR Article 28. They appear here so the customer-facing register is complete:
| Counterparty | Role | Location | Why not a sub-processor |
|---|---|---|---|
| Actalis S.p.A. (Aruba Group) | Origin-TLS Certificate Authority for *-origin.frem.sh (eIDAS QTSP) | Italy, EU | The CA receives only FQDNs — never personal data — during the ACME-DNS-01 issuance flow. Carved out of Annex B per DPA §A.4. D-TRUST GmbH (Germany, eIDAS QTSP) retained as named paid fallback. |
| EU Commission VIES service | VAT-number validation at signup (reverse-charge qualification) | EU institutions | Non-commercial public-sector lookup; only the VAT identifier (a business-registration number) is submitted. Disclosed in privacy notice §3.3. |
| Simply.com A/S | Registrar + DNS for the brand-redirect domains fremforge.{com,eu,dk} (all 301 → www.frem.sh) | Denmark | No Customer Personal Data transits Simply.com — only DNS lookups for the redirect targets. Customer-facing surfaces use BunnyDNS (Bunny CDN d.o.o., Slovenia — same sub-processor as the CDN/WAF/edge tier, already disclosed in the Annex B sub-processor table above). |
What we do not engage #
- No CDN or edge provider with a US parent is in the request path for customer-facing endpoints.
- No analytics or telemetry processor. Phase 1 ships with no product analytics at all — matches what the cookie policy + privacy notice already say (no analytics, no consent banner). No Google Analytics, no Mixpanel, no Segment, no Plausible. Self-hosted Plausible (T Cloud
eu-de) is on the post-launch roadmap; if/when deployed, it will appear in the change-log below and as a tier-1 first-party processor in Annex B (data stays inside fremverk’s T Cloud account; no third-party egress). - No AI / LLM provider is invoked on Customer Content. Agent-mandate features (per DPA §11A) act under run-time customer instruction and do not transit a third-party model surface for content; fremverk does not retain Customer Content in any model corpus. The sub-processor stack carries this prohibition contractually downstream — see AI-training prohibitions across sub-processors below.
- No US payment processor. Mollie (NL) handles every charge.
- No bot-protection widget vendor. Forgejo signup uses self-hosted Altcha (MIT-licensed, HMAC-signed PoW) running in-process inside the api monolith on the same T Cloud cluster; no Cloudflare Turnstile, no hCaptcha, no Google reCAPTCHA.
CLOUD Act posture #
Every entry above is an EU-controlled entity with no US parent. Zero CLOUD Act exposure on any processing path. No Schrems II Transfer Impact Assessment is required because no Customer Personal Data is transferred outside the EU/EEA.
For the full posture, see DPA §11.3 and the trust index — Schrems II section.
AI-training prohibitions across sub-processors #
The “no AI training on Customer data” commitment in DPA §6A binds every entity in the sub-processor stack. The supporting public commitments from each sub-processor are listed below for cross-reference. Where a sub-processor publishes a model-training opt-in, fremverk has not opted in.
| Sub-processor | Public commitment we rely on |
|---|---|
| Deutsche Telekom AG (T Cloud / Open Telekom Cloud) | T Cloud Service Description and DPA — IaaS layer; the platform does not access tenant content. T Cloud’s AI principles commit to data-minimisation and purpose-limitation in Telekom-developed AI, and the IaaS DPA prohibits use of customer payload for any purpose other than service delivery. |
| Bunny CDN d.o.o. | Bunny DPA — Bunny processes traffic for cache + WAF only; no model training rights granted. Bunny’s AI policy disclosure confirms no AI model is trained on customer-traffic payloads. |
| Lettermint B.V. | Lettermint DPA + Privacy Policy — transactional email scope; outbound-only relay. Customer recipient lists are not used for cross-account model training, and no AI / model-training opt-in has been enabled. |
| Mollie B.V. | Mollie Privacy Statement and PSD2 / PCI-DSS scope — transaction processing only; Mollie does not train AI models on transaction metadata for the merchant. |
| Heinlein Hosting GmbH (mailbox.org) | mailbox.org Privacy Statement — explicit “no AI training, no profiling” position; mailbox.org’s marketing routinely states “Wir trainieren keine KI mit Ihren Daten” (“we don’t train AI on your data”). |
| Visma Dinero ApS | Visma Group Privacy & AI policy — accounting integration scope; no training on Customer Personal Data crossing the integration. fremverk’s bookkeeping path receives org legal name, billing-contact email, VAT number, invoice line items, Mollie payment-id (Customer Personal Data of the org admin); no repository content, no audit-log content, no PAN. |
| Actalis S.p.A. | eIDAS QTSP — receives only domain names during ACME-DNS-01 issuance; CA scope precludes content-derivative use. |
| EU Commission VIES service | Public-sector lookup; out of scope for AI training (no consumer-grade ML trained on VAT registry traffic). |
| Simply.com A/S | Registrar / DNS for redirect domains only; no Customer Personal Data path. |
If any sub-processor changes its position on AI training, fremverk is obliged under DPA §6 (Sub-processors) to give Customers prior notice and the right to object before the new processing begins. The change-log at the bottom of this page records every such transition.
Card-network footnote #
Card payments through Mollie are technically routed via PCI-DSS-attested card-network sub-sub-processors: Visa Europe Services Inc. (UK branch) and Mastercard Europe SA (Belgium). Both are EU operating entities, but their ultimate parents (Visa Inc., Mastercard Inc.) are US-incorporated. fremverk does not contract with these networks directly — they are sub-sub-processors of Mollie under PCI-DSS network rules. The “no US-parented” claim above applies to fremverk’s own sub-processor stack at the operating-company level. Customers preferring zero US-parent exposure on the payment path may pay by SEPA Direct Debit (Mollie’s SEPA path involves no card-network sub-sub-processor). See DPA §11.3 for the full framing.
Customer-requested alternatives #
The default sub-processor set already has zero US-parented exposure. Under Enterprise-on-Demand, Customers may additionally request:
- Audit of any region-pinning preferences across T Cloud regions (
eu-deis default; alternative EU regions available on request subject to feature parity). - Region-specific data-residency commitments stronger than the default (e.g., contractual pinning to a single eu-de availability zone).
Contact enterprise@frem.sh to scope.
Historical changes #
This section records the change history of the sub-processor list in reverse chronological order. The list above is always the current state.
| Date | Change | Notice published |
|---|---|---|
| 2026-05-14 | Outbound transactional email migrated from Sendinblue SAS (Brevo, FR) to Lettermint B.V. (Zwolle, NL). Brevo decommissioned 2026-05-14. Outbound email path remains EU-only with no US-parented processor; the AI-training prohibitions row was rewritten accordingly. Mirrors DPA v1.9. | n/a (no signed customers; pre-launch) |
| 2026-05-08 | Round-7 transparency batch: Actalis S.p.A. (origin-TLS CA, IT, eIDAS QTSP), EU VIES service (VAT validation), and Simply.com A/S (DK, brand-redirect DNS) added to a new “Disclosed for transparency — not Article-28 sub-processors” section. None receive Customer Personal Data; carved out of Annex B per DPA §A.4. | n/a (no signed customers; pre-launch) |
| 2026-05-06 | Visma Dinero ApS (Denmark) added to Annex B as a billing-path sub-processor. Customer Personal Data scope: organisation legal name, billing contact, VAT number, invoice line items, Mollie payment id. 5-year statutory retention under Danish Bogføringsloven §10. Mirrors DPA v1.4 (revised in v1.5 — earlier “no Customer Personal Data path” wording was incorrect). | n/a (no signed customers; pre-launch) |
| 2026-04-27 | Inbound shared-mailbox hosting moved from Microsoft Ireland Operations Ltd. to Heinlein Hosting GmbH (mailbox.org), Berlin, Germany — eliminates the prior US-parented sub-processor on the inbound mailbox path | n/a (no signed customers; pre-launch) |
| 2026-04-25 | Initial register | Effective Date |
Contact #
For sub-processor questions:
- Privacy / DPA scope: compliance@frem.sh
- Procurement / vendor due-diligence: enterprise@frem.sh
- Security mailing-list subscription: lists.frem.sh/subscription/form (alias: security-notices@frem.sh — forwards to compliance@)
See also: Trust index · Privacy notice