Sub-Processors
Sub-Processors
Verbitas uses the following third-party services to process customer data. This list is maintained as part of our GDPR Data Processing Agreement commitments.
Current sub-processors
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Primary compute and object storage | All customer data (manifests, assets, Postgres, Redis) | eu-central-1 (FSN1, Nuremberg) + HEL1 (Helsinki) |
| Amazon Web Services (AWS) | KMS signing key operations | 32-byte claim digests only; no asset content | eu-central-1 (Ireland) |
| Stripe, Inc. | Payment processing and subscription management | Billing email, payment method tokens | EU data residency enabled |
| Cloudflare, Inc. | CDN, WAF, DDoS protection, DNS | HTTP request headers and response bodies (in transit) | Global edge; no persistent storage of request content |
| Grafana Labs | Observability (Tempo traces, Prometheus metrics) | Trace IDs, metric counters; no asset content or PII | EU region |
| BetterStack | Uptime monitoring and status page | HTTP response codes, availability metrics | EU region |
| Sentry | Error tracking | Stack traces, error messages; no asset content | EU region |
| Wasabi Technologies | Object storage backup (cross-region) | Encrypted copies of manifests and signed assets | EU region |
Tier 2 (optional, tenant-configured)
These sub-processors are used only when a tenant configures the corresponding feature.
| Sub-processor | Purpose | Activation |
|---|---|---|
| OpenTimestamps calendars | Bitcoin timestamp anchoring (Tier 1) | All recipes with anchoring.methods: [opentimestamps] |
| Arbitrum One (via Alchemy) | L2 anchor batch submission (Tier 2) | Recipes with anchoring.methods: [arbitrum] |
| Customer AWS account | BYOK KMS signing | Recipes with kms_mode: byok |
What each sub-processor receives
AWS KMS
The Verbitas signer (apps/signer) sends only 32-byte canonical C2PA claim digests to AWS KMS for signing. No asset bytes, no metadata, no PII. The IAM role is restricted to kms:Sign and kms:GetPublicKey.
Cloudflare
Cloudflare terminates HTTPS at the edge and proxies requests to Verbitas’s origin. It processes HTTP headers and request/response bodies in transit to apply WAF rules and rate limits. It does not persistently store request content beyond standard edge logs (which are not shared with Verbitas).
OpenTimestamps / Arbitrum
The anchor batch sends exactly 32 bytes (a Merkle root) to OpenTimestamps calendar servers and to Arbitrum One as transaction calldata. No PII. No asset content. No manifest content. The 32 bytes are a hash of a hash.
Data flows
Customer API call → Cloudflare edge → Hetzner (apps/api, apps/worker, Postgres, Redis, Object Storage) │ ┌──────────┴──────────┐ │ │ AWS KMS OpenTimestamps / Arbitrum (32-byte digest only) (32-byte Merkle root only)Stripe receives only what is needed for billing: email address and payment method token. No asset data reaches Stripe.
Grafana, BetterStack, and Sentry receive operational telemetry (traces, metrics, error messages). No asset content or personal data from manifest assertions reaches these services.
Sub-processor changes
Verbitas will notify customers of any additions or changes to this sub-processor list with at least 30 days’ notice, via the status page and email to the account’s primary contact.
To subscribe to sub-processor change notifications: admin console > Settings > Notifications > Sub-processor changes.
Requesting a sub-processor list addendum
Enterprise customers requiring a contractual sub-processor list addendum as part of their DPA can request one at [email protected].