Subprocessors List
Last Updated: November 14, 2025
Effective Date: November 14, 2025
Overview
This page lists all third-party service providers (subprocessors) that Guard.ch engages to process customer data in the course of providing our virtual machine management services.
Guard.ch is committed to transparency about our subprocessors and will update this list when we add, replace, or remove subprocessors. Customers will be notified of changes in accordance with our Data Processing Agreement (DPA).
Notification of Changes
How We Notify You:
- Email notification to your account email address
- Update to this Subprocessors List page with revision date
- Minimum 30 days' advance notice (when reasonably possible)
Your Right to Object: If you object to a new or replacement subprocessor on reasonable data protection grounds, you may notify us within 30 days at support@guard.ch. See our DPA for details on objection procedures.
Current Subprocessors
Infrastructure and Hosting
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Hetzner Online GmbH<br/>Industriestr. 25<br/>91710 Gunzenhausen<br/>Germany | Infrastructure hosting and primary data storage | Helsinki, Finland (EU) | All customer data, account information, VM metadata, operational data | GDPR compliance (EU-based provider), ISO 27001 certified | Hetzner Privacy Policy |
| OVH US LLC<br/>21351 Gentry Drive<br/>Dulles, VA 20166<br/>USA | Infrastructure hosting for US customer VM sessions only (no persistent data storage) | Hillsboro, Oregon, USA | VM session data for US-region customers (temporary only) | Standard Contractual Clauses, EU-US Data Privacy Framework | OVH Privacy Policy |
Payment Processing
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Stripe, Inc.<br/>510 Townsend Street<br/>San Francisco, CA 94103<br/>USA | Payment processing, subscription management, and invoicing | USA (multiple data centers) | Email, billing information, payment transaction data, Stripe customer ID | Standard Contractual Clauses, EU-US Data Privacy Framework, PCI DSS Level 1 certified | Stripe Privacy Policy |
Security and Infrastructure Services
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Cloudflare, Inc.<br/>101 Townsend Street<br/>San Francisco, CA 94107<br/>USA | DNS services, CDN, DDoS protection, and WAF | Global network (data may transit through various locations) | IP addresses, DNS queries, HTTP request metadata | EU-US Data Privacy Framework, ISO 27001, SOC 2 Type II | Cloudflare Privacy Policy |
Logging and Monitoring
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Axiom, Inc.<br/>660 4th Street #367<br/>San Francisco, CA 94107<br/>USA | Log aggregation, monitoring, and observability | USA | Server access logs, application logs, error logs (including IP addresses, timestamps, request URLs) - 30-day retention | Standard Contractual Clauses, SOC 2 Type II | Axiom Privacy Policy |
Authentication Services (Optional)
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Google LLC<br/>1600 Amphitheatre Parkway<br/>Mountain View, CA 94043<br/>USA | OAuth authentication (optional) and website analytics (Google Analytics) | USA and global | OAuth: Email and basic profile data when you choose Google login<br/>Analytics: Website usage data, anonymized IP addresses, browser/device info, page views | EU-US Data Privacy Framework, ISO 27001 | Google Privacy Policy |
| Microsoft Corporation<br/>One Microsoft Way<br/>Redmond, WA 98052<br/>USA | OAuth authentication (optional) | USA and global | Email and basic profile data when you choose Microsoft login | EU-US Data Privacy Framework, ISO 27001, SOC 2 | Microsoft Privacy Policy |
Advertising Services
| Subprocessor | Purpose | Data Location | Data Processed | Safeguards | Privacy Policy |
|---|---|---|---|---|---|
| Playwire LLC<br/>3399 Peachtree Road NE, Suite 200<br/>Atlanta, GA 30326<br/>USA | Advertising services and ad delivery | USA | IP addresses, browser/device information, ad interaction data, browsing behavior on Guard.ch | Standard Contractual Clauses | Playwire Privacy Policy |
Data Transfer Mechanisms
For subprocessors located outside Switzerland and the European Economic Area (EEA), Guard.ch ensures appropriate safeguards for international data transfers:
EU-US Data Privacy Framework
The following subprocessors are certified under the EU-US Data Privacy Framework:
- Stripe, Inc.
- Cloudflare, Inc.
- Google LLC
- Microsoft Corporation
- OVH US LLC
You can verify certifications at: https://www.dataprivacyframework.gov/list
Standard Contractual Clauses (SCCs)
For subprocessors not covered by the Data Privacy Framework, Guard.ch uses Standard Contractual Clauses approved by:
- The Swiss Federal Data Protection and Information Commissioner (FDPIC)
- The European Commission
SCCs are in place with:
- Axiom, Inc.
- Playwire LLC
- All other US-based subprocessors as supplemental safeguards
Copies of Transfer Mechanisms
Customers may request copies of the Standard Contractual Clauses or other transfer mechanisms by contacting support@guard.ch.
Important Notes
VM Content
Guard.ch does not access or process the content of your virtual machines. Any personal data you store, process, or transmit within your VMs is your sole responsibility. Guard.ch has no technical capability to access VM content and acts solely as an infrastructure provider for VMs.
The subprocessors listed above process only:
- Account and authentication data
- VM metadata (IDs, creation times, usage statistics)
- Billing and payment information
- Access logs and operational data
Primary Data Storage
All persistent customer data is stored in the European Union (Hetzner Helsinki data center, Finland). OVH US is used only for running VM sessions for US-region customers; no persistent customer data is stored on OVH infrastructure.
Additional Third-Party Services
Guard.ch infrastructure may use additional third-party services that do not process customer personal data (e.g., DNS registrars, code repositories, development tools). These are not listed as subprocessors as they do not process personal data on behalf of customers.
Subprocessor Security and Compliance
Guard.ch requires all subprocessors to:
-
Implement Appropriate Security Measures:
- Encryption in transit and at rest
- Access controls and authentication
- Regular security assessments
- Incident response procedures
-
Maintain Compliance:
- Comply with applicable data protection laws (Swiss FADP, EU GDPR)
- Maintain relevant certifications (ISO 27001, SOC 2, PCI DSS where applicable)
- Undergo regular security audits
-
Contractual Obligations:
- Execute Data Processing Agreements with Guard.ch
- Agree to process data only on Guard.ch's instructions
- Implement confidentiality obligations
- Provide security breach notification
- Assist with data subject rights requests
- Delete or return data upon request
Data Retention by Subprocessors
| Subprocessor | Data Retention Period | Purpose |
|---|---|---|
| Hetzner | Duration of service + 30 days | Infrastructure hosting |
| OVH US | Session duration only (no persistent storage) | VM sessions |
| Stripe | Duration of service + up to 7 years | Payment records, fraud prevention, legal compliance |
| Cloudflare | Varies by service (typically 24 hours to 30 days for logs) | Security, performance optimization |
| Axiom | 30 days | Log retention and monitoring |
| Google (OAuth) | Per Google's retention policies | Authentication |
| Google (Analytics) | 14-50 months (configurable) | Analytics |
| Microsoft | Per Microsoft's retention policies | Authentication |
| Playwire | Per Playwire's retention policies | Advertising analytics |
Guard.ch's overall data retention practices are governed by our Privacy Policy and DPA.
Subprocessor Due Diligence
Guard.ch conducts due diligence on all subprocessors before engagement, including:
- Security and privacy assessments
- Review of data protection policies and practices
- Verification of compliance certifications
- Contractual review and negotiation
- Ongoing monitoring and periodic reassessment
Requesting Information
For questions about our subprocessors or to request additional information:
Email: support@guard.ch
Postal Address: See our Imprint for full contact details.
You may request:
- Copies of Data Processing Agreements with subprocessors (subject to confidentiality restrictions)
- Copies of Standard Contractual Clauses
- Additional information about security measures
- Clarification about data processing activities
Change History
| Date | Change | Subprocessor(s) Affected |
|---|---|---|
| November 14, 2025 | Initial publication of comprehensive Subprocessors List | All subprocessors listed |
Future changes will be documented in this section with the date, nature of the change, and affected subprocessors.
Last Review Date: November 14, 2025
Next Scheduled Review: May 14, 2026
This Subprocessors List is maintained in accordance with our Data Processing Agreement and Privacy Policy. For more information about our data protection practices, please refer to those documents.