Sub-processors
Last updated 14 June 2026
This page lists the sub-processors that Torii ApS engages to process End User personal data on behalf of its customers under the Data Processing Agreement, and constitutes Appendix B (Authorised sub-processors) to that agreement. It is maintained separately from the Services Agreement so it can be kept current as our sub-processors change.
This is version 1.0, effective from the “Last updated” date above. Before a new sub-processor begins processing personal data, we update this page and notify affected customers at least 30 days in advance, as described in the DPA.
End User personal data
These sub-processors process the personal data of the Customer’s End Users:
| Sub-processor | Service | Personal data processed | Location | Transfer safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting and storage of the Service and its database | All End User personal data at rest; server logs including IP address | Falkenstein, Germany (EU) | - (within EU) |
| Cloudflare, Inc. | Edge proxy, TLS termination, and DDoS/bot protection | End User IP address and HTTP request metadata | USA; global edge network | EU–US Data Privacy Framework / Standard Contractual Clauses |
| AhaSend BV | Transactional email delivery (verification, password reset, security notices) | End User email address and the contents of those emails | Netherlands (EU) | - (within EU) |
| Signicat AS | MitID and electronic-ID verification, where the Customer enables it | Identity attributes returned by the eID scheme for the End User | Norway (EEA) / EU | - (within EEA) |
Third-party identity providers
The Service can connect to third-party identity providers for social or enterprise sign-in. When an End User signs in this way, they authenticate directly with the provider, which returns the End User’s email address and name so the Service can create and access the account. These providers determine their own purposes and means, so they act as independent controllers under their own terms and privacy policies, not as Torii sub-processors.
You configure the identity providers for your application using your own credentials, and the connection is between your application and each provider. As a convenience, the sandbox environment also offers Torii’s own shared identity-provider applications so you can test without setting up your own; if you use those, the connection runs through Torii, but you remain free to use your own credentials in sandbox instead. Sandbox is for testing; avoid signing in with personal accounts you would not want processed this way.
Billing data
Subscription billing for the Customer (an organisation, not an End User) is handled by Fenerum (Denmark, EU). Fenerum processes the Customer’s organisation and company-registration details and invoices (not End User personal data) and is described in the Dashboard Privacy Policy.
Questions
For a copy of the transfer safeguards above, or any question about our sub-processors, contact privacy@torii.so.