Legal
Subprocessors
Last updated: 23 April 2026
vatnode engages the following subprocessors to provide the Service. We require all subprocessors to maintain at least the same level of data protection as required under GDPR.
Current subprocessors
| Subprocessor | Location | Purpose | Data shared | Safeguard |
|---|---|---|---|---|
Vultr Holdings LLC Vultr Holdings LLC | Frankfurt, Germany (EU) | Server infrastructure (database, API, and web hosting) | All personal data stored by vatnode (account data, API keys, check history, subscriptions) | None required — processor in EU/EEA |
Stripe Stripe Payments Europe Ltd. / Stripe, Inc. | Ireland (EU) / USA | Payment processing, subscription management | Email, billing name, Stripe customer ID, invoice records | SCCs (Module 2) for US-based access |
Resend Resend, Inc. | USA | Transactional email — account notifications and onboarding survey forwarding | Email address, display name, onboarding survey answers (when submitted) | SCCs (Module 2) |
Change notification
We will notify all active customers at least 14 days before adding or replacing a subprocessor. Notifications are sent to the email address on your account.
You may object to any such change by contacting [email protected] within 14 days of the notification. We will work with you in good faith to resolve the objection; if we cannot, you may terminate the affected service without penalty.
VIES and national registries
For VAT validation, vatnode transmits the queried VAT number (and, where configured, your requester VAT number) to the VIES service operated by the European Commission, and to national tax authority or company registry APIs of covered EU member states.
These entities act as independent data controllers, not subprocessors of vatnode. Transmission is within the EU.
Infrastructure tooling
We use self-hosted deployment and monitoring tools (Coolify, Docker, Redis, PostgreSQL) that run on our Vultr server in Frankfurt. These are software we operate directly and do not constitute separate subprocessors in the GDPR Art. 28 sense — data does not leave our infrastructure to reach them.
Contact
For questions about subprocessors: