HolyDocs uses a small number of carefully selected third-party vendors to deliver the Service. These vendors are “subprocessors” under the GDPR and the HolyDocs Data Processing Agreement. This page is the authoritative list of subprocessors that may Process Customer Personal Data, the purpose of each engagement, and the region from which the vendor operates.
Overview
Before engaging a new subprocessor or replacing an existing one, HolyDocs assesses the vendor’s security and privacy posture and enters into a data-processing agreement that imposes obligations materially equivalent to those in the HolyDocs DPA. Customer Personal Data is only shared with subprocessors as needed to deliver the Service or features the Customer has chosen to use.
Current Subprocessors
| Vendor | Purpose | Region | Security & Privacy |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers), database (D1), object storage (R2), KV cache, vector search (Vectorize), queues, DNS, CDN, WAF, and DDoS mitigation — the primary infrastructure for the entire HolyDocs platform. | USA — global edge in 300+ cities | Trust page |
| Anthropic, PBC | AI inference for the documentation assistant, agent, semantic search, summarization, and translation features (Claude family models). | USA | Trust page |
| OpenRouter, Inc. | Routing layer for large-language-model providers used by AI features, including fallback model selection and usage accounting. | USA | Trust page |
| Stripe, Inc. | Payment processing, subscription billing, invoicing, tax calculation (Stripe Tax), and fraud prevention (Stripe Radar). | USA — global processing | Trust page |
| Resend, Inc. | Transactional email delivery, including authentication emails, magic links, billing receipts, and security notifications sent via Better Auth. | USA | Trust page |
| PostHog, Inc. | Product analytics for the dashboard, including page views, feature usage, and funnel measurement. Self-hostable, EU region enabled for EU customers where supported. | EU (Frankfurt) and USA | Trust page |
| GitHub, Inc. | OAuth identity provider for sign-in with GitHub; source-of-truth integration for documentation repositories via the HolyDocs GitHub App. | USA | Trust page |
| Google LLC | OAuth identity provider for sign-in with Google. Personal data limited to name, email, profile picture, and stable user ID. | USA — global | Trust page |
| RogerIQ | Customer support inbox, in-app chat widget, and conversation history for messages exchanged with the HolyDocs support team. | USA | Trust page |
Notification policy. Customers will be notified by email at least 30 days before any addition or change to subprocessors. To object, email dpa@holydocs.com within the notice window.
Notification and Objection
When HolyDocs intends to engage a new subprocessor or replace an existing one, we will notify each Customer (typically the billing owner of the workspace) by email at least 30 days before the change takes effect. To subscribe to subprocessor change notifications, ensure that the billing owner of your workspace can receive email at the address on file.
Customers may object to a new subprocessor on reasonable data-protection grounds by emailing dpa@holydocs.com within the notice window. We will work in good faith to address the objection. If we cannot reach a resolution, the Customer may terminate the affected portion of the Service for convenience without penalty and receive a pro-rata refund of prepaid, unused fees, as described in Section 7 of the DPA.
Historical Changes
This page reflects the current state of HolyDocs subprocessors. We do not publish a full historical changelog on this page, but maintain an internal record of changes that we will provide to Customers on written request. Significant changes will be announced in the dashboard and on our changelog.
Contact
Questions about subprocessors, or to request a counter-signed Data Processing Agreement, email dpa@holydocs.com.
This document was last updated on 2026-05-17. For prior versions, contact legal@holydocs.com.