Skip to content
Sairaph Mail

Sub-Processors

Effective date: 25 June 2026 Last updated: 25 June 2026 Version: 1 (initial)

Sairaph Mail (operated by WELLDONE, Aleja Wyzwolenia 11/6, 70-552 Szczecin, Poland) engages the third-party sub-processors below to deliver the Service. Each processes personal data only on our documented instructions and under a data-processing agreement containing the Article 28 GDPR terms. This list is referenced by, and forms part of, our Privacy Policy and (for Business Customers) our Data Processing Agreement.

How to read the "transfer mechanism" column: where a sub-processor processes personal data in the EU/EEA, no Chapter V transfer mechanism is needed. Where data may be processed in, or accessed from, a third country (in practice the United States), the listed mechanism is the safeguard we rely on under Chapter V GDPR.

---

Active sub-processors

1. OVHcloud

  • Legal entity: OVH SAS (France — EU). (Where contracting is through the Polish OVH entity OVH Sp. z o.o., that entity applies; both are EU-established.)
  • Purpose: OVHcloud is our primary EU infrastructure provider and performs several roles: (a) domain name registration and management (OVH is the registrar) and DNS; (b) email mailbox hosting (the authoritative store for your inbound and stored mail) and inbound/outbound mail-relay VPS hosting; and (c) application infrastructure hosting — the virtual private servers that run the Sairaph Mail application, PostgreSQL database, Redis, and background workers.
  • Categories of data: Customer email content (messages, headers, attachments), mailbox credentials, domain owner-contact (registrant) details, DNS configuration; and, for the application infrastructure, all Account data, billing metadata, technical/audit metadata, and the encrypted body cache and credentials (encryption keys held by Sairaph Mail; see the Privacy Policy security section).
  • Processing region: EU (OVHcloud EU data centres).
  • International transfer: None required — processing is in the EU.
  • Notes: Domain registrant contact details may additionally be processed/published under ICANN and registry rules, which is a separate controller relationship governed by those policies.

2. Amazon Web Services — Amazon SES

  • Legal entity: Amazon Web Services EMEA SARL (Luxembourg); US parent: Amazon Web Services, Inc.
  • Purpose: Outbound email relay (sending your outgoing mail) and processing of bounce and complaint notifications.
  • Categories of data: Outbound message content and headers, sender/recipient addresses, delivery/bounce/complaint metadata.
  • Processing region: eu-west-1 (Dublin, Ireland — EU).
  • International transfer: Sending processing occurs in the EU. To the extent any personal data is accessed by the US parent, transfers are covered by the AWS GDPR Data Processing Addendum (incorporating the EU Standard Contractual Clauses) and Amazon's EU–US Data Privacy Framework certification.

3. Stripe

  • Legal entity: Stripe Payments Europe, Ltd. (Ireland); US parent: Stripe, Inc.
  • Purpose: Payment processing (subscription charges, renewals) and tax calculation (Stripe Tax, including EU VAT / reverse charge / OSS handling).
  • Categories of data: Billing name, email, billing country, VAT ID (if provided), payment-method/card data (handled by Stripe as a PCI-DSS processor — Sairaph Mail does not store full card numbers), transaction records.
  • Processing region: EU and US.
  • International transfer: Covered by Stripe's DPA (incorporating the EU SCCs) and Stripe, Inc.'s EU–US Data Privacy Framework certification.

4. Cloudflare — Turnstile

  • Legal entity: Cloudflare, Inc. (US); EU contracting entity where applicable: Cloudflare Germany GmbH.
  • Purpose: Bot protection at signup (Cloudflare Turnstile) — distinguishing humans from automated bots on the signup form.
  • Categories of data: IP address, browser/device signals, Turnstile challenge token, interaction metadata.
  • Processing region: Global / US.
  • International transfer: Covered by Cloudflare's DPA (incorporating the EU SCCs) and Cloudflare, Inc.'s EU–US Data Privacy Framework certification.

5. Plausible Analytics (self-hosted)

  • Legal entity: Operated by WELLDONE (Sairaph Mail) on its own EU infrastructure — Plausible Community Edition is self-hosted, not the Plausible Insights OÜ managed cloud service. Listed here for transparency even though, being operator-controlled and first-party, it is arguably not a third-party sub-processor.
  • Purpose: Privacy-first website analytics — understanding how the marketing site and dashboard are used. The baseline measurement is cookieless (no cookies, no device storage; legitimate-interest basis). A consent-gated enriched/attribution layer additionally stores a sessionStorage attribution token on the user's device, and only runs after the user consents.
  • Categories of data: Aggregated/pseudonymous usage data — page URL, referrer, de-identified device/browser type, country (derived, no raw IP retained). Plausible does not store personal cross-site identifiers or use cookies for the baseline measurement.
  • Processing region: EU (self-hosted on operator-controlled OVHcloud EU infrastructure).
  • International transfer: None required — processing is in the EU.

---

Change management

  • We will give customers reasonable advance notice of any new or replacement sub-processor (e.g. by updating this versioned list and notifying by email or in-product notice), and an opportunity to object on reasonable data-protection grounds, before the new sub-processor begins processing.
  • The DPA flows down equivalent Article 28 obligations to every sub-processor, and Sairaph Mail remains liable to the customer for its sub-processors' performance.

---

If you have questions about these terms, contact us at privacy@sairaph.com.

*Sairaph Mail, operated by WELLDONE, Sairaph.com.*