Sub-processors
HarborGuard engages a small set of sub-processors to operate the service. This page is the canonical public list. We commit to giving customers 30 days' written notice before adding a new sub-processor that processes customer personal data.
Active sub-processors
| Sub-processor | Purpose | Data category | Region |
|---|---|---|---|
| Fly.io, Inc. | Application hosting, compute, managed Postgres, object storage | All customer data at rest and in transit | US (primary) |
| Stripe, Inc. | Subscription billing, invoicing, payment-method storage | Billing contact, plan and usage metadata; card data is collected directly by Stripe and never touches HarborGuard infrastructure | US, with EU sub-processors per Stripe's own DPA |
| Twilio SendGrid | Transactional and notification email delivery (account verification, password reset, billing receipts, notification emails) | Recipient email address, message subject and body (notification metadata; not scan contents) | US |
HarborGuard does not transmit your scan contents, SBOMs, or vulnerability findings to any third party except as required to deliver the service (for example, sending a notification email containing a finding summary that the customer has explicitly configured). We do not currently use a third-party error-tracking or observability vendor; if that changes, this page will be updated and notice will go out per the policy below.
Sub-processors used only on customer instruction
These vendors only receive customer data when the customer explicitly configures an integration:
| Sub-processor | Trigger | Data category |
|---|---|---|
| Slack Technologies | Customer enables a Slack notification channel | Notification payload (finding summary, links) |
| PagerDuty | Customer enables a PagerDuty notification channel | Incident payload (severity, finding summary) |
| Customer-configured webhook endpoints | Customer registers a webhook | Whatever the customer subscribes to; payload is HMAC-signed |
| Customer-configured SSO IdP (Okta, Azure AD, Google Workspace, generic SAML / OIDC) | Customer enables SSO | Authentication assertions, group memberships |
Notification of changes
To subscribe to sub-processor change notifications:
- Existing customers: notifications go to the workspace's billing-contact email automatically.
- Prospects and security teams: email
trust@harborguard.coto be added to the announcement list.
Customer objection right
Customers may object to a new sub-processor within 30 days of notice. If we cannot offer an alternative, customers may terminate the affected service per the Master Subscription Agreement.