Last Updated: 15.11.2025
At Gorilla, we use a small set of trusted third-party service providers to help us operate our platform reliably, securely, and at scale. Some of these partners process customer data in order to provide infrastructure, customer support, analytics, or product functionality. When they do so on our behalf, they qualify as Subprocessors under the GDPR. Each one is contractually bound by obligations that match or exceed those in our Data Processing Agreement (DPA).
Where possible, we use EU-based or EU-hosted infrastructure. When data must be processed outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) to ensure lawful transfer.
In addition to SCCs, Gorilla performs a risk-based due diligence process before engaging any non-EEA Subprocessor. This includes:
This ensures we only work with vendors who meet our internal standards and customer expectations.
These Subprocessors provide the core infrastructure used to host and store Customer Personal Data.
| Subprocessor | Purpose of Processing | Data Location |
|---|---|---|
| Render | Private server and data storage | Germany, Frankfurt |
| Vercel | Cloud hosting | Germany, Frankfurt |
| Google Cloud | Secrets storage and management via Google Cloud Secret Manager | Germany, Frankfurt |
These Subprocessors support essential platform functionality, observability, and user-facing features.
| Subprocessor | Purpose of Processing | Data Location |
|---|---|---|
| Cloudflare | DNS, CDN, network security, DDoS protection | EU |
| Sentry | Application error tracking and diagnostics | EU |
| PostHog | In-product analytics and event tracking | EU |
| Logz.io | Log management and monitoring | EU |
These providers help us deliver support, notifications, and other direct communications to customers.