Subprocessors

Last Updated: July 12, 2026

F&D Ventures LLC, doing business as Tormano (“Tormano”), engages the third-party subprocessors listed below to deliver the Tormano CRM service. This list is maintained in accordance with Article 28 of the GDPR and the corresponding provisions in our Data Processing Agreement and Privacy Policy.

Notification of Changes

We will provide at least 30 days’ advance notice before adding any new subprocessor that will process Customer Personal Data. To receive change notifications, email privacy@tormano.com with the subject line “Subprocessor Notifications” and we will add you to the notification list. Customers may also bookmark this page and check for the “Last Updated” date above.

Current Subprocessors

The following subprocessors are engaged as of the date above. Each subprocessor has been assessed for security and privacy posture and is bound by data processing terms consistent with our obligations under the GDPR, CCPA/CPRA, and other applicable laws.

SubprocessorPurposeLocationCompliance
Hetzner CloudServer hosting, virtual machines, networkGermany / United StatesISO 27001
Backblaze B2Encrypted database backups, file storageUnited StatesSOC 2 Type II
StripePayment processing, subscriptions, donationsUnited StatesPCI DSS Level 1, SOC 1/2
SendGrid (Twilio)Transactional and campaign email deliveryUnited StatesSOC 2 Type II
TwilioSMS, voice calls, WhatsApp messagingUnited StatesSOC 2 Type II, HIPAA eligible
AnthropicAI-powered features (Claude API)United StatesSOC 2 Type II, GDPR compliant
OpenAIAI-powered features (GPT API, fallback)United StatesSOC 2 Type II, GDPR compliant
SentryError tracking and performance monitoring (PII-scrubbed before transmission)United StatesSOC 2 Type II, GDPR compliant
Cloudflare TurnstileBot protection on public formsUnited StatesSOC 2 Type II, GDPR compliant
MapboxAddress geocoding for contact map viewUnited StatesSOC 2 Type II
People Data LabsOptional contact enrichment (only when org enables)United StatesSOC 2 Type II
Intuit QuickBooksCustomer-initiated accounting integrationUnited StatesSOC 2 Type II
XeroCustomer-initiated accounting integrationNew Zealand / United StatesSOC 2 Type II
Google WorkspaceCustomer-initiated email and calendar OAuth integrationUnited StatesSOC 2 Type II, ISO 27001
Microsoft 365 (Microsoft Graph)Customer-initiated email and calendar OAuth integrationUnited StatesSOC 2 Type II, ISO 27001
Slack (Salesforce)Customer-initiated team-notifications integrationUnited StatesSOC 2 Type II, ISO 27001

Public Data Sources and Non-Personal-Data Services

The following services are used by Tormano but do not process Customer Personal Data on our behalf, and are therefore not sub-processors bound by data processing agreements:

  • Federal Election Commission (U.S. Government public API) and ProPublica Nonprofit Explorer (public-data API) — optional research lookups, used only when your organization enables them. A lookup transmits only the search terms needed for the query (for example, a name); results come from records these organizations already publish.
  • UptimeRobot — external availability checks of our public endpoints; receives no Customer Personal Data.
  • Healthchecks.io — heartbeat monitoring for scheduled jobs and backups; receives only job names and timestamps, no Customer Personal Data.

Customer-Initiated Integrations

Some integrations (QuickBooks, Xero, Google Workspace, Microsoft 365, Slack, and others) are activated only when a customer connects their own account through OAuth or API key. Tormano does not receive or process data from these services unless and until the customer initiates the integration. These integrations are governed by each provider’s own privacy policy and terms of service.

Data Residency

Tormano’s production data store and application servers are hosted in Hetzner Cloud data centers in the United States (Ashburn, Virginia). Most subprocessors also store and process data in the United States. Customer data may be transferred internationally as part of normal service operation. We rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms where required by GDPR Chapter V or similar laws. See the Data Processing Agreement for details.

Contact

For questions about this list, including subprocessor change notifications, contact privacy@tormano.com.