Subprocessors
1pm.app engages a small number of third-party service providers ("subprocessors") to operate the Service. Each subprocessor is bound by a written contract that imposes data-protection obligations no less protective than those We owe You under our Terms of Use (clause 4.3, the Article 28 processor terms).
If You are a Subscriber and want to be notified when this list changes — at least 30 days before any addition or replacement of a subprocessor handling Your personal data — email hello@1pm.app with the subject line "Subprocessor change notifications" and We will add You to the notification list.
Current Subprocessors
| Subprocessor | Purpose | Location | Documentation |
|---|---|---|---|
| Microsoft Azure Microsoft Corporation |
Application hosting (App Service), relational database (Azure SQL), blob storage (uploaded files, branding logos), and operational telemetry (Application Insights). | Australia East (primary); East US (geo-replicated backups and CDN edges). | Microsoft DPA |
| Cloudflare Cloudflare, Inc. |
Content delivery network, DDoS protection, web application firewall, and TLS termination at the network edge. | Global anycast network; Europe-routed traffic terminates at EU edges. | Cloudflare DPA |
| Stripe Stripe Payments Europe / Stripe Inc. |
Subscription billing, payment processing, invoicing, and the customer-facing Stripe Billing Portal. We do not store card details ourselves — Stripe holds them under PCI-DSS Level 1. | Ireland (EEA customers), United States (other customers). | Stripe DPA |
| Resend Resend, Inc. |
Transactional email delivery (account verification, password reset, billing notices, share-link invitations). | United States. | Resend DPA |
| Loops Loops Inc. |
Lifecycle / drip email campaigns (onboarding sequences, trial-conversion prompts, cancellation flows). Only triggered for Subscribers who opt in to marketing communications. | United States. | Loops DPA |
| Bouncer Usebouncer Sp. z o.o. |
Email address verification at sign-up and before bulk send — checks that an address is deliverable to reduce bounce rates and prevent abuse. Only the email address is shared. | European Union (Poland). | Bouncer DPA |
Technical and Organisational Security Measures
Across all subprocessors and Our own infrastructure, We maintain the following measures as required by GDPR Article 32:
- TLS 1.3 encryption in transit; AES-256 encryption at rest for all stored data and backups
- Role-based access control to production systems; multi-factor authentication required for all administrative access
- Audit logging of administrative and support access (including support impersonation sessions — see Privacy Policy clause 9)
- Network-edge DDoS protection, per-IP rate limiting, and per-user request budgeting
- Regular security patching driven by GitHub Dependabot and platform-vendor advisories
- Geo-redundant backups with a defined recovery point objective; backups encrypted at rest with separate keys
- Automatic deletion of inactive accounts on documented schedules (see Privacy Policy clause 3.8)
Questions or Objections
If You have questions about Our subprocessors, or wish to object to the engagement of a particular subprocessor on reasonable data-protection grounds, email hello@1pm.app. Where We cannot reasonably accommodate Your objection, You may terminate the affected Subscription Period as described in Terms of Use clause 4.4.
Last updated: 22 May 2026