Last Updated: May 2, 2026
F&D Ventures LLC, doing business as Tormano (“Tormano”), engages the third-party subprocessors listed below to deliver the Tormano CRM service. This list is maintained in accordance with Article 28 of the GDPR and the corresponding provisions in our Data Processing Agreement and Privacy Policy.
We will provide at least 30 days’ advance notice before adding any new subprocessor that will process Customer Personal Data. To receive change notifications, email privacy@tormano.com with the subject line “Subprocessor Notifications” and we will add you to the notification list. Customers may also bookmark this page and check for the “Last Updated” date above.
The following subprocessors are engaged as of the date above. Each subprocessor has been assessed for security and privacy posture and is bound by data processing terms consistent with our obligations under the GDPR, CCPA/CPRA, and other applicable laws.
| Subprocessor | Purpose | Location | Compliance |
|---|---|---|---|
| Hetzner Cloud | Server hosting, virtual machines, network | Germany / United States | ISO 27001 |
| Backblaze B2 | Encrypted database backups, file storage | United States | SOC 2 Type II |
| Stripe | Payment processing, subscriptions, donations | United States | PCI DSS Level 1, SOC 1/2 |
| SendGrid (Twilio) | Transactional and campaign email delivery | United States | SOC 2 Type II |
| Amazon Web Services (SES) | Fallback email delivery | United States | SOC 2 Type II |
| Twilio | SMS, voice calls, WhatsApp messaging | United States | SOC 2 Type II, HIPAA eligible |
| Anthropic | AI-powered features (Claude API) | United States | SOC 2 Type II, GDPR compliant |
| OpenAI | AI-powered features (GPT API, fallback) | United States | SOC 2 Type II, GDPR compliant |
| Sentry | Error tracking and performance monitoring (PII-scrubbed before transmission) | United States | SOC 2 Type II, GDPR compliant |
| UptimeRobot | External availability monitoring | United States | SOC 2 Type II |
| Cloudflare Turnstile | Bot protection on public forms | United States | SOC 2 Type II, GDPR compliant |
| Mapbox | Address geocoding for contact map view | United States | SOC 2 Type II |
| People Data Labs | Optional contact enrichment (only when org enables) | United States | SOC 2 Type II |
| ProPublica Nonprofit Explorer | Optional nonprofit affiliation lookup (only when org enables) | United States | Public-data API |
| Federal Election Commission | Optional public political-donations lookup (only when org enables) | United States | U.S. Government API |
| Intuit QuickBooks | Customer-initiated accounting integration | United States | SOC 2 Type II |
| Xero | Customer-initiated accounting integration | New Zealand / United States | SOC 2 Type II |
| Google Workspace | Customer-initiated email and calendar OAuth integration | United States | SOC 2 Type II, ISO 27001 |
| Microsoft 365 (Microsoft Graph) | Customer-initiated email and calendar OAuth integration | United States | SOC 2 Type II, ISO 27001 |
| Slack (Salesforce) | Customer-initiated team-notifications integration | United States | SOC 2 Type II, ISO 27001 |
Some integrations (QuickBooks, Xero, Google Workspace, Microsoft 365, Slack, and others) are activated only when a customer connects their own account through OAuth or API key. Tormano does not receive or process data from these services unless and until the customer initiates the integration. These integrations are governed by each provider’s own privacy policy and terms of service.
Tormano’s primary data store and application servers are hosted in Hetzner Cloud data centers. Most subprocessors store and process data in the United States. Customer data may be transferred internationally as part of normal service operation. We rely on Standard Contractual Clauses (SCCs) and other approved transfer mechanisms where required by GDPR Chapter V or similar laws. See the Data Processing Agreement for details.
For questions about this list, including subprocessor change notifications, contact privacy@tormano.com.