Who we use to run the service.
Per GDPR Article 28, this is the live list of subprocessors that may handle customer data. We notify customers in writing at least 30 days before adding a new subprocessor that touches personal or financial data. Last updated 2026-05-12.
| Subprocessor | Purpose | Data handled | Location |
|---|---|---|---|
| Render | Application hosting, managed Postgres, background workers, automatic backups | All customer data at rest (encrypted AES-256), application logs | US (us-east) primary; EU (eu-frankfurt) optional for EU customers on Advanced |
| Cloudflare | CDN, DDoS protection, TLS termination for marketing site | Request metadata, IP addresses (transient) | Global edge network |
| Stripe | Payment processing, subscription billing, tax calculation | Billing contact, payment card details (never touches our servers), invoice records | US, with EU subsidiary for EU customers |
| Resend | Transactional email (workflow reminders, password resets, billing receipts, security alerts) | Recipient email, subject + body of the specific email | US (AWS us-east-1) |
| Anthropic | AI model provider for Percival (FP&A assistant) and report generation | Per-query: only the rows / context needed to answer the specific question. Zero-retention agreement — prompts and completions are not retained or used for training. | US |
| Sentry | Error tracking, performance monitoring | Stack traces, request metadata. PII scrubbed at the SDK boundary before transmission. | US (eu-region available on Sentry's enterprise tier — planned for EU customers) |
| Vercel | Marketing site hosting (getforecastle.com) | Marketing-site visitor logs only. No customer cube data. | Global edge network |
| GitHub | Source-code hosting, CI artifacts | No customer data. Source code only. | US |
Customer-controlled integrations
These services are connected by the customer through OAuth and the customer holds the access token. They are not subprocessors in the GDPR sense (you instruct us to read from them on your behalf), but listed for transparency:
| Service | Purpose | Direction |
|---|---|---|
| Xero | General ledger, chart of accounts, tracking categories, actuals | Read-only by default. Write-back enabled per-tenant only with explicit consent. |
| QuickBooks Online | General ledger, classes, locations, actuals | Read-only by default. Write-back enabled per-tenant only with explicit consent. |
| Microsoft 365 (Excel add-in) | Add-in install, formula refresh | Customer-initiated. Forecastle pushes data to the user's spreadsheet on request. |
| Google Workspace (Sheets add-on) | Add-on install, formula refresh | Customer-initiated. Forecastle pushes data to the user's spreadsheet on request. |
Notification of changes
We notify all customers by email at least 30 days before adding a new subprocessor that handles personal or financial data. Removals are notified at the time of removal. To subscribe to subprocessor change notifications without being a customer (e.g. as a prospect's procurement team), email security@forecastle.app.