steepl
Book a demo
Trust

Sub-processors

steepl uses the following sub-processors to deliver the service. We notify customers in writing at least 30 days before adding a new sub-processor that processes regulated customer data. Subscribe to our status page for change notifications.

VendorPurposeDataLocationCertifications
Hetzner Online GmbHPrimary infrastructure hosting (compute, network, object storage)All customer data at rest and in transitFalkenstein, Germany (primary); Helsinki, Finland (standby)ISO 27001, ISO 9001, ISO 14001
Amazon Web Services — KMSHSM-backed signing of period anchors; envelope-encryption KEKCryptographic key material only; no plaintext customer dataeu-central-1 (Frankfurt) primary; us-east-1 multi-region key replicaSOC 1/2/3, ISO 27001/17/18, FIPS 140-3 L3 HSM
Stripe, Inc.Payment processing for giving and APPayment-method tokens, transaction metadata; no card data on our infrastructureUnited StatesPCI DSS Level 1, SOC 2
Lob (CompanyCam DBA)Paper check generation and mail-out (AP fallback rail)Vendor name, address, check amount, memoUnited StatesSOC 2
VantaSOC 2 evidence collection and continuous compliance monitoringInfrastructure metadata, employee directory, system audit logsUnited StatesSOC 2, ISO 27001
WorkOSSAML/OIDC brokering and SCIM Directory Sync (Firm tier)User authentication metadata, group membershipUnited StatesSOC 2 Type II
SentryApplication error monitoringStack traces, scrubbed request metadata; PII/PHI redactedUnited StatesSOC 2 Type II
Postmark (ActiveCampaign)Transactional email (statements, receipts, system notifications)Recipient email, statement attachment, message bodyUnited StatesSOC 2
Atlassian StatuspagePublic status page hostingIncident metadata only; no customer dataUnited StatesSOC 2

Last reviewed 2026-05-20. Some sub-processors may be added or replaced as the product evolves; customers are notified per the policy above.