Compute
Hetzner Cloud, Falkenstein, Germany
Application servers and the Bridgekit API run on Hetzner Cloud in Germany. Hetzner Online GmbH is a German company with no US-cloud affiliation.
Trust & transparency
No hand-waving about compliance posture. Here is every component, every jurisdiction, and every sub-processor we use.
Every piece of infrastructure we run, the jurisdiction it sits in, and who owns it.
Hetzner Cloud, Falkenstein, Germany
Application servers and the Bridgekit API run on Hetzner Cloud in Germany. Hetzner Online GmbH is a German company with no US-cloud affiliation.
Hetzner (primary) + Scaleway S3 Paris (backups)
Primary Postgres database on Hetzner Germany. Off-site backups replicated to Scaleway Object Storage in Paris, France. Both providers are EU-based.
Self-hosted Keycloak, same EU host
Keycloak is open-source and self-hosted on our EU infrastructure. No external identity SaaS, no Auth0, no Okta, no Cognito.
Scaleway TEM, Paris, France
System emails (account confirmations, notifications) are sent via Scaleway Transactional Email, operated by Scaleway SAS in France.
Bridgekit is a product of Greenmango. Contracts, invoices and Data Processing Agreements are signed with Greenmango. Greenmango is registered in the Netherlands. All customer data is processed under EU law.
We process only what is necessary to provide the service.
Name, email address, organisation name, and payment tokens issued by Mollie. We never see or store raw card numbers — Mollie handles PCI-compliant card processing.
Your connector configurations, step logic, trigger settings and workflow names. Stored in our Postgres database in Germany.
Inputs, outputs and audit events from your workflow runs. Retention is configurable per plan, from 30 days on Starter to 1 year on Business and custom on Enterprise.
API keys and OAuth tokens used by your workflows. Encrypted at rest with AES-256-GCM and a versioned envelope. Plaintext is held in memory only during step execution and never written to disk, logs, or backups.
Greenmango is a Dutch entity subject to Dutch law. Any valid request for customer data must go through the Dutch legal system. We require a court order or equivalent legal process before disclosing any data. Where legally permitted, we notify affected users before disclosing. We make no voluntary disclosures to any government or law enforcement agency. We document every request we receive and will publish aggregate totals annually.
We have a standard DPA template ready for organisations that need one as part of their supplier onboarding. We are happy to negotiate amendments with your legal team.
Request DPA