Sub-processors.
Last updated · 17 May 2026
This page lists the sub-processors that Endolum GmbH engages to deliver the marketing website and each Endolum product. It is the single source of truth referenced by every Endolum privacy notice. Where a sub-processor is located outside Switzerland or the EU/EEA, the transfer basis is identified in the right hand column.
1. Marketing site (endolum.io)
| Sub-processor |
Purpose |
Location |
Transfer basis |
| Hetzner Online GmbH |
Website hosting |
Falkenstein, Germany (EU) |
EU/EEA, no third country transfer |
| Google Ireland Limited |
Google Analytics 4, Google Ads, Google reCAPTCHA, Google Fonts |
Ireland (EU); Google LLC in the United States as onward sub-processor |
EU-US Data Privacy Framework certification, with Standard Contractual Clauses for residual transfers |
| Cal.com Inc. |
Booking page for partner calls (linked, not embedded) |
United States |
Standard Contractual Clauses |
2. Sentinel
| Sub-processor |
Purpose |
Location |
Transfer basis |
| Hetzner Online GmbH |
Backend, databases, and Identity Service hosting on a Kubernetes cluster |
Falkenstein, Germany (EU) |
EU/EEA, no third country transfer |
| Akamai Technologies (Linode) |
Isolated scanner node that executes scans against customer targets |
Frankfurt, Germany (EU) |
EU/EEA, no third country transfer |
| Anthropic PBC |
AI assisted report generation. Zero Data Retention enabled. Anthropic does not train models on Sentinel scan data. |
San Francisco, United States |
Standard Contractual Clauses incorporated in the Anthropic Data Processing Addendum |
| Stripe Payments Europe Limited |
Subscription billing, invoice generation, payment processing |
Dublin, Ireland (EU); onward processing in the United States |
EU-US Data Privacy Framework certification, with Standard Contractual Clauses for residual transfers |
| ip-api.com |
IP geolocation for scan submitter context |
European Union |
EU/EEA, no third country transfer |
3. Hacked
| Sub-processor |
Purpose |
Location |
Transfer basis |
| Hetzner Online GmbH |
Backend, databases, and Identity Service hosting on a Kubernetes cluster |
Falkenstein, Germany (EU) |
EU/EEA, no third country transfer |
| Stripe Payments Europe Limited |
Subscription billing, invoice generation, payment processing |
Dublin, Ireland (EU); onward processing in the United States |
EU-US Data Privacy Framework certification, with Standard Contractual Clauses for residual transfers |
| ip-api.com |
IP to geolocation and ASN lookup for trigger event enrichment |
European Union |
EU/EEA, no third country transfer |
4. Cross product infrastructure
| Sub-processor |
Purpose |
Location |
Transfer basis |
| GitHub, Inc. |
Container image registry (GHCR) for product images, used at deployment time only. No customer data is processed. |
United States (Microsoft Corporation) |
Standard Contractual Clauses |
| Let's Encrypt (Internet Security Research Group) |
TLS certificate issuance for product domains |
United States |
Public certificate authority, no personal data processed |
5. Changes to this list
Endolum may add, remove, or change sub-processors from time to time. The list above is the binding reference. Material additions that affect existing customers are announced through the in product change log and, where reasonable, by email to the account contact before the change takes effect. Customers who object to a new sub-processor on documented grounds may terminate the affected subscription for the remainder of the current billing period.
6. Contact
For data processing questions, write to contact@endolum.io or to Endolum GmbH, Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland. A signed data processing addendum is available on request for business customers.