BridgekitBridgekit

Trust & transparency

We tell you exactly where your data lives.

No hand-waving about compliance posture. Here is every component, every jurisdiction, and every sub-processor we use.

Where your data lives

Every piece of infrastructure we run, the jurisdiction it sits in, and who owns it.

Compute

Hetzner Cloud, Falkenstein, Germany

Application servers and the Bridgekit API run on Hetzner Cloud in Germany. Hetzner Online GmbH is a German company with no US-cloud affiliation.

Database & backups

Hetzner (primary) + Scaleway S3 Paris (backups)

Primary Postgres database on Hetzner Germany. Off-site backups replicated to Scaleway Object Storage in Paris, France. Both providers are EU-based.

Identity & authentication

Self-hosted Keycloak, same EU host

Keycloak is open-source and self-hosted on our EU infrastructure. No external identity SaaS, no Auth0, no Okta, no Cognito.

Transactional email

Scaleway TEM, Paris, France

System emails (account confirmations, notifications) are sent via Scaleway Transactional Email, operated by Scaleway SAS in France.

Who you are contracting with

Bridgekit is a product of Greenmango. Contracts, invoices and Data Processing Agreements are signed with Greenmango. Greenmango is registered in the Netherlands. All customer data is processed under EU law.

What data we process

We process only what is necessary to provide the service.

Account & billing

Name, email address, organisation name, and payment tokens issued by Mollie. We never see or store raw card numbers — Mollie handles PCI-compliant card processing.

Workflow definitions

Your connector configurations, step logic, trigger settings and workflow names. Stored in our Postgres database in Germany.

Run logs & audit events

Inputs, outputs and audit events from your workflow runs. Retention is configurable per plan, from 30 days on Starter to 1 year on Business and custom on Enterprise.

Connector credentials

API keys and OAuth tokens used by your workflows. Encrypted at rest with AES-256-GCM and a versioned envelope. Plaintext is held in memory only during step execution and never written to disk, logs, or backups.

Law enforcement requests

Greenmango is a Dutch entity subject to Dutch law. Any valid request for customer data must go through the Dutch legal system. We require a court order or equivalent legal process before disclosing any data. Where legally permitted, we notify affected users before disclosing. We make no voluntary disclosures to any government or law enforcement agency. We document every request we receive and will publish aggregate totals annually.

Need a Data Processing Agreement?

We have a standard DPA template ready for organisations that need one as part of their supplier onboarding. We are happy to negotiate amendments with your legal team.

Request DPA