Third parties — ZevSend¶
Every external service ZevSend talks to. NDPA §29 requires a written DPA with every data processor; coverage status sits with the DPO office and is not duplicated here.
Active vendors¶
| Vendor | Category | What they process for ZevSend | Fields shared | Location |
|---|---|---|---|---|
| Neon-on-AWS (database) | Processor | Stores every ZevSend row | All of ZevSend's tables | AWS us-east-1 (N. Virginia) |
| Hetzner — Ashburn (backend host, via Coolify) | Processor (host of the runtime; no data access on disk) | Hosts the NestJS process; all ZevSend request data passes through at runtime | Application memory + ephemeral disk | Ashburn, VA, US |
| Redis Cloud | Processor | Cache + queue (BullMQ) + rate-limit storage. Holds short-lived auth-throttle counters, idempotency keys, queued webhook-delivery jobs | Account / IP / request keys; queued event envelopes (may include recipient address, message public id) | US East (matches the backend region for latency) |
AWS SES (zevsend-default configuration set) |
Processor | Outbound email dispatch + delivery / bounce / complaint feedback. Carrier identity registration per customer-owned domain. Custom MAIL FROM bounce-routing | Recipient email, sender email, subject, body, team-id tag, SES message id | AWS eu-west-1 (default — region tunable per deploy) |
| AWS SNS | Processor | Delivery / bounce / complaint feedback transport — SES publishes to SNS, SNS POSTs to /webhooks/aws-sns |
Same fields as the SES feedback events themselves | AWS (same region as SES) |
| Cloudflare (edge) | Processor | CDN / edge for console.zevsend.com, api.zevsend.com, prod.zevsend.com — TLS termination, HSTS, DDoS mitigation, basic WAF |
HTTP request metadata in transit; no application data persisted by Cloudflare | Global edge |
| SMS carriers (admin-managed registry) | Processor | Outbound SMS dispatch + delivery callbacks; per-carrier routing rules + sender-id registration | Recipient phone (E.164), sender id, body, team-attribution metadata | Per-carrier (region-dependent — Termii in Nigeria, etc.) |
| Meta (WhatsApp Cloud API) | Processor | Outbound WhatsApp template-send dispatch + delivery / read receipts; per-tenant WABA + phone-number-id config | Recipient phone, approved template name + language, positional template parameters | Meta-controlled global infra |
| Centralised exception + log monitoring | Processor | Stack traces, scrubbed request context, structured log lines (may include accountId, IP, UA in security-event log lines) |
Stack traces, scrubbed request context, structured log lines | Provider-region-dependent |
Shared-services vendors (Cloudflare, the log-monitoring provider) are used ecosystem-wide; the canonical record is at Cross-product / Shared services.
Other Zev products as processors¶
These are not "third parties" in the contractual sense (they belong to the same group entity), but they sit between ZevSend and its data subjects and are listed for completeness:
- ZevID — identity, authentication, ZPIP consent storage, Zev Credit ledger. See ZevID's product section.
- ZevPay — billing, invoice payment, refunds, payment-method tokens. See ZevPay's section when published.
- ZevCloud — when a customer's sending domain has its authoritative DNS on ZevCloud, ZevSend asks ZevCloud (via ZPIP) to publish the DKIM / SPF / DMARC / bounce-routing records. See ZevCloud's product section.
Cross-border transfers¶
ZevSend's database (Neon-on-AWS) operates in the US. The application backend (Coolify on Hetzner Ashburn) operates in the US. AWS SES operates out of eu-west-1 by default. SMS carriers are region-dependent. Meta's WhatsApp Cloud API operates on Meta-controlled global infrastructure. Each vendor's DPA + SCC coverage is held by the DPO office; this page summarises the data movement, not the contractual coverage.