Skip to content
Kamba
← Back to site Log in

Legal

← All legal documents Privacy Policy Terms of Service Terms of Sale Refund Policy Legal Notice Subprocessors

Questions? Email us at hello@kamba-app.com

Last updated: June 21, 2026

Subprocessors

Draft: pending legal review. Not yet validated by counsel. Data-transfer mechanisms (SCC / Data Privacy Framework) listed below are indicative and must be confirmed by counsel.

About this page

To operate Kamba we rely on a small number of trusted third-party service providers (“sub-processors”) that process personal data on our behalf. This page lists those providers, their role, where they process data, and, where data leaves the EU/EEA, the transfer mechanism relied upon.

This page complements our Privacy Policy. Each provider acts under a data processing agreement (DPA) and is bound to process data only on our instructions and to apply appropriate security measures.

Plain language summary

These are the companies that help us run Kamba. We don’t sell your data, and we keep this list to the minimum we need. Some providers are based in the US; where that is the case we rely on a recognised EU→US transfer mechanism.

Current sub-processors

The table below sets out our current sub-processors. We may update this list as our infrastructure evolves; material changes will be reflected here.

Service Role Location EU→US transfer DPA / Privacy
Neon Managed PostgreSQL database hosting (your account, projects, and stored data) EU region (where configured) No transfer where the EU region is used, to be confirmed by counsel neon.tech
Render Application hosting (web server running the Service) United States EU→US: SCC / Data Privacy Framework, to be confirmed by counsel render.com
Cloudflare R2 Storage of files and static assets (e.g. generated PDFs, images) Global / United States EU→US: SCC / Data Privacy Framework, to be confirmed by counsel cloudflare.com
Resend Transactional email delivery (e.g. password reset, account confirmation) United States EU→US: SCC / Data Privacy Framework, to be confirmed by counsel resend.com
Paddle Payment processing as Merchant of Record (checkout, invoicing, VAT collection) Paddle.com Market Limited (UK / EU) Transfer mechanism to be confirmed by counsel paddle.com
Plausible Privacy-friendly, cookieless usage analytics European Union (EU instance) Within EU: no transfer plausible.io
Google (Sign-In, optional) OAuth authentication if you choose to sign in with Google United States EU→US: SCC / Data Privacy Framework, to be confirmed by counsel policies.google.com

Payment card details are handled entirely by Paddle as Merchant of Record. Kamba never receives or stores your payment card information: only the transaction reference and your purchase/unlock status. See our Terms of Sale for the commercial terms of a purchase.

International data transfers

Some of our sub-processors are located outside the EU/EEA, principally in the United States. Where personal data is transferred outside the EU/EEA, we rely on an appropriate transfer mechanism under Chapter V of the GDPR, typically the European Commission’s Standard Contractual Clauses (SCC) and/or the provider’s certification under the EU–US Data Privacy Framework (DPF).

The specific mechanism for each provider is indicated in the table above and remains pending confirmation by legal counsel. We will not present any mechanism as definitive until it has been validated.

Questions

If you have any question about our sub-processors or international data transfers, please contact us:

  • Email: hello@kamba-app.com
  • Website: kamba-app.com

Kamba Sàrl-s, Sandweiler, Luxembourg. RCS Luxembourg B307982. Full publisher details: Legal Notice.

Kamba © 2026 Kamba