Summary
In plain English
Baslic runs on a deliberately small set of sub-processors: eight active, with one more (Backblaze for encrypted off-site backups) joining within the next 7 days. Hosting stays on EU servers in Germany; our analytics are cookieless (Plausible, EU-hosted). We have no chat widget, no advertising trackers, no session recording, and no behavioral profiling.
Change notifications
We notify customers by email at least 30 days before any new sub-processor begins processing customer data, unless an urgent security or compliance need requires faster action (in which case we notify as soon as possible and document the reason in the changelog). To receive these notifications, click the button below — we will add your email address to the sub-processor notification list. The same commitment is written into our Data Processing Agreement.
Infrastructure
Where Baslic's servers, databases, and storage live.
Hetzner
Hetzner Online GmbH
Purpose
Cloud infrastructure (compute, storage, network) for production and beta environments
Data processed
All customer data at rest, including database records and uploaded receipt files
Location
Falkenstein and Nuremberg, Germany (EU)
Transfer mechanism
Within EEA (no transfer mechanism required)
Cloudflare
Cloudflare, Inc. (US) — EU contracting via Cloudflare Ireland Ltd (Dublin)
Purpose
DNS resolution (authoritative nameservers for baslic.com). Proxy is currently OFF — Cloudflare does not intercept HTTPS traffic; only DNS queries pass through.
Data processed
DNS query metadata (resolver IP, query name, response). No HTTPS payload data.
Location
Global edge for DNS; EU contracting via Cloudflare Ireland
Transfer mechanism
Cloudflare standard DPA + EU-US Data Privacy Framework
AI engines
AI models that parse receipts, invoices, and Z-Reports. The OCR step (extracting raw text from receipt images and PDFs) is self-hosted on our own infrastructure — see the In-house components section below. Only the extracted text, plus the document metadata needed for classification, is sent to the AI model for line-item structuring, VAT classification, and Z-Report parsing.
Anthropic
Anthropic Ireland Ltd.
Purpose
AI parsing of receipts, invoices, and Z-Reports — Timo's NLU, per-line VAT classification, and Matkalasku trip parser (Claude models)
Data processed
Extracted text from receipts and invoices, plus the document metadata needed for classification. Receipt images themselves do not leave our infrastructure (the OCR step is self-hosted, see In-house components).
Location
Anthropic Ireland Ltd. (Dublin) acts as the EU data controller for European customers. Inference is processed on Anthropic-operated infrastructure in the United States. EU data residency is available only as an enterprise option and is not currently configured for Baslic. Standard Contractual Clauses (Module 3) cover the EU-to-US transfer.
Transfer mechanism
EU Standard Contractual Clauses (Module 3) plus enterprise zero-retention agreement.
Platform services
Authentication, email delivery, and domain services.
Postmark
ActiveCampaign, LLC
Purpose
Outbound transactional email delivery (ingestion confirmations, sign-in links, billing notifications, sub-processor change notifications)
Data processed
Recipient email address, subject line, and message body for each transactional email sent
Location
EU servers with US fallback
Transfer mechanism
EU Standard Contractual Clauses (Module 3)
Clerk
Clerk Inc. (Delaware, USA)
Purpose
User authentication, session management, multi-factor authentication
Data processed
Email address, password hash (bcrypt), session tokens, last sign-in metadata
Location
United States
Transfer mechanism
EU-US Data Privacy Framework (active)
Simply.com
Simply.com A/S (Denmark)
Purpose
Domain registrar (baslic.com) and apex email mailbox hosting
Data processed
Domain registration metadata (WHOIS), apex mailbox content
Location
Denmark, EU
Transfer mechanism
Within EEA (no transfer mechanism required)
Analytics
We use a single cookieless analytics service to understand traffic patterns at an aggregated level. No individual visitor is identifiable, no cookies are set, and no data is shared with advertising networks.
Plausible Analytics
Plausible Insights OÜ (Estonia)
Purpose
Cookieless website analytics — aggregated page views and traffic sources only
Data processed
Anonymized page paths, user agent category, referrer. No IP storage, no fingerprinting, no individual tracking.
Location
Germany (EU)
Transfer mechanism
Within EEA (no transfer mechanism required)
Business operations
The single sub-processor that supports billing.
Stripe
Stripe Payments Europe Ltd.
Purpose
Payment processing, subscription billing, and tax handling for paid plans
Data processed
Payment method tokens, transaction metadata, billing address, VAT identifiers
Location
Dublin, Ireland (EU) with US as data importer for global payment infrastructure
Transfer mechanism
EU Standard Contractual Clauses (Module 3) plus Stripe's safeguards programme
Pending additions
Sub-processors we have committed to but not yet activated. These will move to their respective active sections once integrated, and we will publish a changelog entry.
Backblaze B2
Pending — joining T+7Backblaze, Inc. (California, USA)
Purpose
Off-site encrypted backup of customer receipt files
Data processed
Encrypted backup archives. Encryption keys held by Baslic only — Backblaze cannot decrypt.
Location
Amsterdam, Netherlands (EU)
Transfer mechanism
EU region selected — within EEA
In-house components
Not every part of Baslic runs on a third-party service. These components are operated by us directly:
- OCR engine — we self-host the open-source Tesseract OCR engine on our Hetzner infrastructure to convert receipt photos, PDFs, and HEIC files into raw text before the line-item extraction step. Receipt images stay within our infrastructure throughout this step.
- Application servers, databases, queues, caches — all operated by Baslic on the infrastructure listed above; no third-party SaaS layer sits between you and your data.
- Customer chat widgets, session recording, and behavioral profiling — none of these are in use. Product analytics is limited to aggregated, cookieless page-view counts via Plausible (listed above). Error monitoring is computed from our own server logs.
How to object
If you object to a specific sub-processor for legitimate reasons, contact us at privacy@baslic.com within 30 days of the notification. We will respond within 14 business days, and we will work with you to find an acceptable arrangement (e.g. opting out of the affected feature). If no resolution is possible, you may terminate the affected service with a pro-rata refund of any prepaid period, in line with our Data Processing Agreement.
Why this short list
Changelog
- 24 May 2026 — (Bonus) Companion pages added: /legal/cookies (full cookie disclosure), /legal/security (security practices and incident response).
- 24 May 2026 — Expanded disclosure: added Cloudflare (DNS, Infrastructure), Clerk (authentication, Platform), Simply.com (domain + apex mail, Platform), and Plausible (cookieless analytics, new Analytics section). Backblaze B2 listed as pending (LS3 off-site backup). Summary and in-house statements reconciled with the new stack.
- 17 May 2026 — Initial publication of the sub-processor list, covering the launch stack: Hetzner (infrastructure), Anthropic (AI), Postmark (email), and Stripe (billing).
Related documents: