Skip to content

Third parties — ZevCloud

Every external service ZevCloud talks to. NDPA §29 requires a written DPA with every data processor; coverage status sits with the DPO office and is not duplicated here.

Active vendors

Vendor Category What they process for ZevCloud Fields shared Location
Neon-on-AWS (database) Processor Stores every ZevCloud row All of ZevCloud's tables AWS us-east-1 (N. Virginia)
Hetzner — Ashburn (backend host) Processor (host of the runtime; no data access on disk) Hosts the NestJS process; all ZevCloud request data passes through at runtime Application memory + ephemeral disk Ashburn, VA, US
Hetzner — Falkenstein (customer workload host) Processor Runs the Coolify-managed containers that host customer-deployed applications. Customer source code, build artefacts, environment variables (encrypted in our DB; decrypted into container env at runtime), and the customer's runtime data live here Customer application content; per-container env vars at runtime Falkenstein, Germany
Redis Cloud Processor Cache + rate-limit storage. Holds short-lived auth-throttle counters, idempotency keys, queued jobs Account / IP / request keys (low-sensitivity); no PII at rest US East (matches the backend region for latency)
NameSilo Processor + registry partner Domain registration for non-.ng TLDs Registrant contact PII (name, address, email, phone) submitted per ICANN policy; EPP auth code on transfers US
NIRA (.ng registry, direct EPP) Processor + registry Domain registration for .ng TLDs. ZevCloud is a direct NIRA-accredited registrar — no reseller in the chain Same registrant contact set; NIRA-specific contact requirements Nigeria
Cloudflare (DNS + Access) Processor Authoritative DNS for customer-managed zones; CDN/edge for console.zevcloud.net; CF Access gates this compliance docs site DNS records (low-sensitivity by design — DNS is public); HTTP request metadata in transit; staff emails for CF Access Global edge
Forward Email (Enhanced Protection plan) Processor Inbound email forwarding for customer domains Per-domain alias rules (in their encrypted DB; never in public DNS TXT)
ZeptoMail Processor Transactional outbound email (deploy + billing + domain-lifecycle notifications) Recipient email, recipient name, event-specific template variables
Better Stack Processor Sentry-compatible exception ingest + structured logs Stack traces, scrubbed request context, structured log lines (may include accountId / IP / UA in security-event records)

Shared-services vendors (Cloudflare, ZeptoMail, Better Stack) are used ecosystem-wide; the canonical record is at Cross-product / Shared services.

Other Zev products as processors

These are not "third parties" in the contractual sense (they belong to the same group entity), but they sit between ZevCloud and its data subjects and are listed for completeness:

  • ZevID — identity, authentication, ZPIP consent storage, Zev Credit ledger. See ZevID's product section.
  • ZevPay — billing, invoice payment, refunds, payment-method tokens. See ZevPay's section when published.
  • ZevWorkspace — inbound caller for the ZPIP zevcloud.domains.* capabilities (used to provision DKIM / verification DNS records on the customer's behalf). See ZevWorkspace's section when published.

Cross-border transfers

ZevCloud's database (Neon-on-AWS) and the application backend (Hetzner Ashburn) operate in the US. Customer workloads (the apps customers deploy) run on Hetzner Falkenstein in Germany. NameSilo is in the US; NIRA is in Nigeria. Forward Email, ZeptoMail, Cloudflare, and Better Stack operate under their published DPAs and SCCs. The DPO office holds the contractual coverage record.