PreviewDropPreviewDrop
Log inGet started
← Back to home

Subprocessors

Last updated: April 19, 2026

PreviewDrop uses the third-party services below to operate the product. Each one is a subprocessor under the GDPR — we've signed a Data Processing Addendum (DPA) with every one of them and they are contractually bound to the same confidentiality and security standards we commit to ourselves.

Active subprocessors

Supabase

Primary application database and authentication

Privacy policy →
Data processed
Account info (email, display name), workspace and project records, deployment metadata, encrypted environment variables, audit logs
Location
EU (Frankfurt)
DPA in place
Yes

Hetzner Cloud

Infrastructure hosting for the preview-build and runtime tier

Privacy policy →
Data processed
Temporary build artefacts (cloned repo code, built container images), runtime container stdout/stderr captured for the logs viewer
Location
EU (Germany / Finland)
DPA in place
Yes

Stripe

Payment processing and subscription billing

Privacy policy →
Data processed
Workspace billing contact, plan and invoice records, payment method metadata (last 4 digits only — full card data never touches PreviewDrop infrastructure)
Location
US (with EU processing for EU customers under SCCs)
DPA in place
Yes

Resend

Transactional email delivery (password resets, invoice receipts, preview-share emails)

Privacy policy →
Data processed
Recipient email addresses, email body (includes preview URL and branch name when sharing a preview), delivery status
Location
US
DPA in place
Yes

Sentry

Application error tracking and performance monitoring

Privacy policy →
Data processed
Error stack traces, request metadata (URL, method, user agent), user-ID fingerprints for grouping. PII is filtered on the client before submission.
Location
EU (Frankfurt) or US, depending on your project region
DPA in place
Yes

Cloudflare

DNS, TLS termination, and DDoS protection for previewdrop.dev and *.previews.previewdrop.dev

Privacy policy →
Data processed
Request metadata (IP address, user agent, URL) for routing and security. Cloudflare does not store request bodies.
Location
Global edge network; data plane in EU for EU-origin requests
DPA in place
Yes

Integrations (not subprocessors)

The following services connect to PreviewDrop only when you explicitly authorise them. They are data sources — PreviewDrop reads from them — rather than subprocessors that PreviewDrop shares customer data with.

  • GitHub, GitLab, and Bitbucket — repository and webhook metadata, on your authorisation via OAuth. Your source code is cloned ephemerally during a build, then discarded.
  • Neon, PlanetScale, or your own database — if you wire branch databases via env vars, the connection goes directly from your preview container to your database host. PreviewDrop never intermediates those connections.

Change notifications

If we add, remove, or replace a subprocessor, we update this page and (for paying customers on Pro or Enterprise plans) give 30 days' notice via the address on your workspace billing contact. To object to a new subprocessor, email privacy@previewdrop.dev.

Questions

For a signed DPA, a SOC-2-style security questionnaire, or any other legal or procurement questions, email privacy@previewdrop.dev. We answer every email.