Subprocessors and onward processors.
The third parties that process customer data on behalf of Guard.ch, with role, location and the legal safeguard that authorises each transfer.
Introduction
A subprocessor is a third party engaged by Guard.ch to process customer personal data on our behalf in order to deliver the service. This register identifies each such party, the role it plays, the location where the processing occurs and the legal safeguard that authorises the transfer.
This page is a public reference for the data processing relationship described in our Data Processing Addendum. Where the DPA and this register conflict on a material point, the DPA prevails for the contracting customer.
Change notification
We publish updates to this register at least thirty (30) days before adding a new subprocessor that materially affects how customer data is processed, stored or transferred. Minor changes that do not affect data flow (for example a vendor's internal corporate restructure) are reflected on the next routine update without the notice period.
Customers and prospects can subscribe to written notifications by sending the word "subscribe" to privacy@guard.ch. The mailing list is used only for subprocessor and policy notices; you can unsubscribe at any time by replying with "unsubscribe".
Infrastructure and hosting
Persistent capture storage and the production database live in a single primary region: Hetzner's Helsinki facility. Edge nodes accept browser sessions in their region and stream them over WebRTC to the end user. Edge nodes hold no persistent customer data; container scratch is wiped on session end and the underlying volumes are tmpfs-backed where the kernel allows.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Primary hosting, storage and error telemetry | Helsinki, Finland (EEA). Entity seat: Gunzenhausen, Germany. | Production database, S3-compatible object storage for persistent session captures, account records and billing artefacts. The self-hosted error monitoring and application telemetry stack also runs here; no third-party observability vendor is involved. | EU GDPR (intra-EEA). Hetzner Data Processing Agreement signed by Guard.ch. |
| OVH Singapore Pte. Ltd. (OVHcloud) | Asia Pacific edge node | SGP1 datacenter, 110 Paya Lebar Road, Singapore 409057. | Ephemeral browser containers and WebRTC streaming for sessions originating in Asia Pacific. No persistent storage; container scratch is wiped on session end. | EU SCCs Module 3 (processor to processor) and the Swiss FDPIC equivalent. OVHcloud Data Processing Agreement on file. |
| FiberState, LLC | Americas edge node | SLC1 datacenter, Salt Lake City metro area (Draper, Utah, US). | Ephemeral browser containers and WebRTC streaming for sessions originating in the United States. No persistent storage; container scratch is wiped on session end. | EU SCCs Module 3 and the Swiss FDPIC equivalent. Transfer impact assessment on file for US transfers. |
| OVH Hosting Inc. (OVHcloud) | North America edge node | BHS campus, 50 Rue de l'Aluminerie, Beauharnois, Quebec, Canada. | Ephemeral browser containers and WebRTC streaming for sessions originating in Canada and the northern United States. No persistent storage; container scratch is wiped on session end. | Canadian adequacy decision in force for commercial-sector transfers from the EEA. EU SCCs Module 3 and the Swiss FDPIC equivalent additionally signed with OVHcloud. |
Network, CDN and security
Cloudflare is the authoritative DNS for guard.ch and the TLS terminator and reverse proxy for the marketing site and dashboard served at guard.ch. Backend requests from the dashboard go directly to the origin and session capture content (video and replay artefacts) is served from our Helsinki origin without traversing Cloudflare. Cloudflare Turnstile is loaded on registration, login, email-code verification, password reset and guest analysis launch forms to mitigate automated abuse.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. (DNS and edge) | Authoritative DNS and edge for guard.ch | San Francisco, California (US). Global anycast edge. | Authoritative DNS for guard.ch and TLS terminator / reverse proxy for the marketing site and dashboard at guard.ch. WAF and rate limiting on those routes. Backend requests go directly to the origin. | EU Standard Contractual Clauses plus the Cloudflare Data Processing Addendum. Swiss DPA addendum on file. Cloudflare is certified under the EU-US Data Privacy Framework and its Swiss extension. |
| Cloudflare, Inc. (Turnstile) | Bot challenge on authentication and guest launch flows | San Francisco, California (US). Global anycast edge. | Managed bot challenges on the Guard.ch registration, login, email-code verification, password reset and guest analysis launch forms. Cloudflare receives the user's IP address, user agent and interaction signals for the duration of the challenge, plus a per-request site token. | EU SCCs and the Swiss FDPIC equivalent under the Cloudflare Data Processing Addendum. Cloudflare is certified under the EU-US Data Privacy Framework and its Swiss extension. |
Identity and authentication
Guard.ch supports passkeys, email-and-password sign-in and federated sign-in with Google or Microsoft. When the user chooses a federated provider, that provider receives the OAuth client identifier and returns a signed identity assertion containing the user's verified email address and basic profile fields, which Guard.ch uses to provision or look up the account. Users who only use passkeys or email sign-in do not cause any data to be sent to the providers listed below.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Google LLC (Sign in with Google) | Federated identity provider | 1600 Amphitheatre Parkway, Mountain View, California (US). | OAuth 2.0 identity assertion when a Guard.ch user chooses 'Sign in with Google'. Google returns the user's verified email address, given and family name and profile picture URL to Guard.ch. Used only when the user actively selects this sign-in method. | Google Cloud Platform / Google APIs Data Processing and Security Terms. EU SCCs and the Swiss FDPIC equivalent. Google LLC is certified under the EU-US Data Privacy Framework and its Swiss extension. |
| Microsoft Corporation (Sign in with Microsoft) | Federated identity provider | One Microsoft Way, Redmond, Washington (US). | OAuth 2.0 / OpenID Connect identity assertion against Microsoft Entra ID (Azure AD) when a Guard.ch user chooses 'Sign in with Microsoft'. Microsoft returns the user's verified email address, display name and tenant identifier. Used only when the user actively selects this sign-in method. | Microsoft Online Services Data Protection Addendum (DPA), EU SCCs and the Swiss FDPIC equivalent. Microsoft is certified under the EU-US Data Privacy Framework and its Swiss extension. |
Payments
Stripe is the card and SEPA processor for Guard.ch. The contracting Stripe entity is determined by the customer's billing country: Stripe Payments Europe, Ltd. for customers in the EEA, Switzerland and the United Kingdom, and Stripe, Inc. for customers elsewhere. Guard.ch never holds the primary account number; the card is tokenised at Stripe and only the token, brand and last four digits are stored in our billing ledger.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Card and SEPA processing for EEA, Swiss and UK customers | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. | Authorisation, capture, refund and dispute handling for subscription invoices issued to customers within the EEA, Switzerland and the United Kingdom. | EU GDPR. Stripe Data Processing Agreement on file. Card data is tokenised at Stripe; Guard.ch never stores the primary account number. |
| Stripe, Inc. | Card processing for customers outside the EEA, UK and CH | 354 Oyster Point Boulevard, South San Francisco, California (US). | Authorisation, capture, refund and dispute handling for customers whose billing country is outside the EEA, Switzerland and the United Kingdom. | EU SCCs and the Swiss FDPIC equivalent via Stripe's Data Processing Agreement. Card data is tokenised at Stripe. |
Communications and observability
Outbound transactional email (receipts, sign-in codes, security notifications, capture-ready alerts) is relayed through Google Workspace from Guard.ch mailboxes. Server-side application logs and operational metrics from the Guard.ch backend and edge agents are forwarded to Axiom for centralised search and alerting; session capture content (video and replay events) is not part of the log payloads.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Google Ireland Limited (Google Workspace, Gmail) | Outbound transactional email | Gordon House, Barrow Street, Dublin 4, Ireland. Mail data may be processed by Google LLC in the US. | Delivery of receipts, sign-in codes, security notifications and capture-ready alerts to the registered account email. Sent from privacy@guard.ch and noreply@guard.ch through Google Workspace SMTP relay. | Google Workspace Data Processing Amendment, EU SCCs and the Swiss FDPIC equivalent. Google LLC is certified under the EU-US Data Privacy Framework and its Swiss extension. |
| Axiom, Inc. | Application log ingestion and operational telemetry | 548 Market Street, San Francisco, California (US). Storage in AWS US regions. | Centralised ingestion of server-side application logs and operational metrics from the Guard.ch backend and edge agents. Payloads typically contain pseudonymous identifiers (user id, workspace id, request path, status code, IP address). Session capture content (video, replay events) is excluded from log payloads. | Axiom Data Processing Agreement, EU SCCs and the Swiss FDPIC equivalent. Logs are retained for a rolling operational window and then deleted automatically. |
AI and machine learning
Guard.ch uses third-party large language models for two narrowly scoped purposes: AI-assisted summarisation and structured extraction surfaced to users on request, and anomaly detection over server-side application logs. Session capture content is never sent to either provider as part of the operational telemetry path, and model traffic to both providers is excluded from model training by contract.
| Subprocessor | Role | Location | Purpose | Safeguard |
|---|---|---|---|---|
| Google LLC (Gemini) | AI summarisation and content analysis | 1600 Amphitheatre Parkway, Mountain View, California (US). | On-demand large language model inference for AI-assisted summarisation and structured extraction features when activated by the user. Only the content explicitly submitted to an AI feature is sent to the model; account credentials and capture artefacts are never transmitted. | Google Cloud / Gemini Data Processing Addendum. EU SCCs and the Swiss FDPIC equivalent. Gemini model traffic is excluded from Google's model training by contract. |
| OpenAI, OpCo, LLC | Anomaly detection over operational telemetry | 1455 3rd Street, San Francisco, California (US). | Pattern analysis over server-side application logs to surface anomalies, spikes and regressions. Payloads consist of aggregated log lines and pseudonymous identifiers; session capture content is excluded. | OpenAI Data Processing Addendum, EU SCCs and the Swiss FDPIC equivalent. Model traffic is excluded from OpenAI's model training by contract. OpenAI is certified under the EU-US Data Privacy Framework and its Swiss extension. |
International transfers
Guard.ch is operated from Switzerland. Switzerland holds an adequacy decision from the European Commission, so transfers between the EEA and Switzerland do not require additional safeguards under Chapter V GDPR.
Persistent customer data (captures, account records, billing artefacts) stays inside the EEA, specifically in Hetzner's Helsinki facility. Edge nodes outside the EEA (OVHcloud Singapore, FiberState Salt Lake City, OVHcloud Beauharnois) process session traffic ephemerally for the duration of a live session and hold no data at rest. Transfers to the US edge node and to US-based subprocessors (Cloudflare, Stripe Inc., Google LLC, Microsoft Corporation, Axiom, OpenAI) are covered by the European Commission's Standard Contractual Clauses, Module 3 (processor to processor) together with the Swiss equivalent issued by the FDPIC. Where the vendor is certified under the EU-US Data Privacy Framework (Cloudflare, Google, Microsoft, Stripe, OpenAI), the DPF is the primary mechanism and the SCCs operate as a fallback. Transfers to Beauharnois additionally rely on the European Commission's adequacy decision for the Canadian commercial sector under PIPEDA.
A transfer impact assessment for each non-EEA region is maintained internally and is available to customers on request, in line with the EDPB Recommendations 01/2020 methodology.
Customer objections
Customers may object to the engagement of a specific subprocessor on reasonable grounds (for example a documented incompatibility with the customer's own regulatory regime). Objections should be sent in writing to privacy@guard.ch within fourteen (14) days of the change notification.
On receipt we will work with the customer in good faith to find a workable alternative (for example pinning the affected workload to a different region, or scoping a custom processing arrangement). Where no alternative can reasonably be agreed, the customer may terminate the affected portion of the service without penalty and receive a pro-rata refund for the unused term.
Contact
Questions about this register, requests for the underlying contracts, or notifications under the change notification clause go to privacy@guard.ch. Postal mail to Zesiger.net Individual Enterprise, Mügeri 340, 5046 Schmiedrued, Switzerland.