Subprocessors
Last updated: April 26, 2026
These are the third parties Doable shares your data with to operate. Each has its own data-processing agreement linked below. We notify customers via email at least 14 days before adding a new subprocessor that touches customer data.
| Vendor | Purpose | Data shared | Region | DPA |
|---|---|---|---|---|
| Vultr | Compute and storage for the Doable platform and customer workloads | All customer data at rest (Postgres rows, build artifacts, application files) | United States | View |
| Stripe | Subscription billing and payment processing | Customer email, name, billing address, payment-card token (we never see the card itself) | United States, EU | View |
| Resend | Transactional email (deploy alerts, billing receipts, expiry notices) | Recipient email, message content (delivery metadata only retained beyond 7 days) | United States | View |
| Firebase Authentication (Google) | User sign-in, OAuth, and session token issuance | Email, hashed password, OAuth provider tokens | United States | View |
| Sentry | Error tracking for the dashboard, API, and worker | Stack traces, request paths, user ID (no PII bodies). 30-day retention. | United States | View |
| OpenAI | Doctor self-healing diagnostics on failed deploys | Failed-build log excerpts (no source code unless deliberately included by the user) | United States | View |
| Cloudflare | CDN, DDoS protection, TLS termination (when enabled) | Request metadata (IP, user agent, URL); cached static asset bytes | Global edge | View |
| Namecheap (affiliate referral) | Domain registration partner. Doable does not register domains itself; we redirect users to Namecheap via an affiliate link. Namecheap is the registrar of record and the data controller for your registration. | Domain name (sent in the URL when you click through). All registrant contact details are collected by Namecheap directly, not by Doable. | United States | View |
| Porkbun (legacy) | Domain registrar of record for domains purchased through Doable’s in-app flow prior to May 2026. New purchases no longer use Porkbun. | Domain name, registrant contact details (only for legacy in-app purchases). | United States | View |
When this list changes
We notify customers at least 14 days before adding a new subprocessor that processes personal data. Notification goes to the billing email on each account.
Customer-deployed code
When you deploy code through Doable, it runs in containers on our infrastructure (or on a server you connect via the BYO flow). The contents of those containers are your processing, not ours. Subprocessors above are the ones we use to operate the platform itself.
Data Processing Agreement
Doable’s standard Data Processing Agreement is offered to all paying customers. Email [email protected] for a counter-signed copy.