LAST UPDATED · 2026-05-19
SUBPROCESSORSWho else touches your data.
A short list, on purpose. Each subprocessor below has a signed Data Processing Agreement with us and is contractually bound to the same security commitments we publish on Trust.
| Name | Purpose | Data processed | Region |
|---|---|---|---|
| Anthropic | Model inference (PBC) | Prompts and outputs | United States |
| OpenAI | Model inference | Prompts and outputs | United States |
| Cloudflare | CDN, edge runtime, DDoS | Request metadata | Global |
| Hetzner | Primary infrastructure | Operational data, customer data at rest | Germany |
| Migadu | Transactional email | Switzerland | |
| Notion | Internal lead capture | Names + work emails | United States |
| VercelFlagged for review — not currently active in production. | Preview / staging hosting | Not currently in use for production data | Global |
Adding a new subprocessor.
We give thirty days’ notice via email before adding a new subprocessor to this list. If you object during that window, we work with you to find an acceptable alternative; if we can’t, you have the right to terminate the affected service without penalty.
To subscribe to subprocessor change notifications, email legal@luminflows.com from the address that should receive them.