Last updated: June 21, 2026
Subprocessors
About this page
To operate Kamba we rely on a small number of trusted third-party service providers (“sub-processors”) that process personal data on our behalf. This page lists those providers, their role, where they process data, and, where data leaves the EU/EEA, the transfer mechanism relied upon.
This page complements our Privacy Policy. Each provider acts under a data processing agreement (DPA) and is bound to process data only on our instructions and to apply appropriate security measures.
Plain language summary
These are the companies that help us run Kamba. We don’t sell your data, and we keep this list to the minimum we need. Some providers are based in the US; where that is the case we rely on a recognised EU→US transfer mechanism.
Current sub-processors
The table below sets out our current sub-processors. We may update this list as our infrastructure evolves; material changes will be reflected here.
| Service | Role | Location | EU→US transfer | DPA / Privacy |
|---|---|---|---|---|
| Neon | Managed PostgreSQL database hosting (your account, projects, and stored data) | EU region (where configured) | No transfer where the EU region is used, to be confirmed by counsel | neon.tech |
| Render | Application hosting (web server running the Service) | United States | EU→US: SCC / Data Privacy Framework, to be confirmed by counsel | render.com |
| Cloudflare R2 | Storage of files and static assets (e.g. generated PDFs, images) | Global / United States | EU→US: SCC / Data Privacy Framework, to be confirmed by counsel | cloudflare.com |
| Resend | Transactional email delivery (e.g. password reset, account confirmation) | United States | EU→US: SCC / Data Privacy Framework, to be confirmed by counsel | resend.com |
| Paddle | Payment processing as Merchant of Record (checkout, invoicing, VAT collection) | Paddle.com Market Limited (UK / EU) | Transfer mechanism to be confirmed by counsel | paddle.com |
| Plausible | Privacy-friendly, cookieless usage analytics | European Union (EU instance) | Within EU: no transfer | plausible.io |
| Google (Sign-In, optional) | OAuth authentication if you choose to sign in with Google | United States | EU→US: SCC / Data Privacy Framework, to be confirmed by counsel | policies.google.com |
Payment card details are handled entirely by Paddle as Merchant of Record. Kamba never receives or stores your payment card information: only the transaction reference and your purchase/unlock status. See our Terms of Sale for the commercial terms of a purchase.
International data transfers
Some of our sub-processors are located outside the EU/EEA, principally in the United States. Where personal data is transferred outside the EU/EEA, we rely on an appropriate transfer mechanism under Chapter V of the GDPR, typically the European Commission’s Standard Contractual Clauses (SCC) and/or the provider’s certification under the EU–US Data Privacy Framework (DPF).
The specific mechanism for each provider is indicated in the table above and remains pending confirmation by legal counsel. We will not present any mechanism as definitive until it has been validated.
Questions
If you have any question about our sub-processors or international data transfers, please contact us:
- Email: hello@kamba-app.com
- Website: kamba-app.com
