Sub-processors
UAB APP FOREST · Version 1.0 · Last updated
Draft — effective at launch, last updated . UAB APP FOREST is in formation. This policy is published for transparency and takes legal effect once the company is incorporated and its registration details are completed.
A sub-processor is a third party that UAB APP FOREST (trading as Foresttasks) engages to process personal data on our behalf in order to run and deliver the Service. This page lists every such provider, what it does, and what data reaches it. It supplements our Data Processing Agreement and Privacy Policy.
We are committed to keeping this list current and to giving customers advance notice before a new sub-processor starts processing personal data. To be notified of changes, email privacy@foresttasks.app and ask to be added to sub-processor change notifications.
Core sub-processors
These providers support the Service for every customer. They may process personal data as part of normal operation of the platform.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payments and subscription billing | Billing contact email, organisation identifier; card data is entered directly on Stripe-hosted Checkout and never reaches our servers | USA / global (SCC + EU-US DPF) |
| Resend | Transactional email delivery (verification, password reset, invitations, notifications) | Recipient email address and message content | USA (SCC) |
| Cloudflare | DNS, CDN, TLS, DDoS protection and bot mitigation | IP address and request metadata for traffic to the service | Global edge network (SCC) |
| Hosting provider (European Union) | Cloud server hosting and primary application data storage (PostgreSQL) | All application data, stored on infrastructure located in the European Union | European Union |
Customer-enabled sub-processors
These providers are engaged only when you turn on the relevant feature. If you never enable the feature, no data is shared with the provider. For bring-your-own-key (BYOK) AI, the AI provider you choose acts under your own account and API key — effectively as your own sub-processor — and we transmit the relevant task content to it using your key, which we hold encrypted per organisation at rest.
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Optional “Sign in with Google” authentication | Name, email address and Google account identifier — only if a user chooses Google sign-in | USA / global (SCC + EU-US DPF) | |
| Your chosen AI provider (e.g. Anthropic, OpenAI, OpenRouter) | AI assistance, only when an organisation supplies its own API key | Task title, description and intent are sent to the provider you configure, using your key; the key is encrypted per organisation at rest | Depends on the provider you choose |
| Object storage (S3-compatible) | File attachment storage, only when an organisation enables attachments | Uploaded files; bytes flow directly between your browser and storage via presigned URLs and do not transit our application servers | Configurable |
Change-notification policy
Under the general authorisation in our Data Processing Agreement, we may add or replace sub-processors as the Service evolves. When we do, we update this page and notify customers who have asked to be kept informed. Customers acting as data controllers may object to a new sub-processor on reasonable, data-protection-related grounds within the notice period set out in the DPA. The transfer safeguards for any sub-processor located outside the European Economic Area — Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework — are noted in the Location column above.