This page lists the third-party Sub-processors engaged by Authgear (SkyMakers Digital Limited) to deliver the hosted Authgear Services. Each Sub-processor is bound by data-protection obligations substantially equivalent to those in the Data Processing Addendum.
This page is the canonical record of Authgear's current Sub-processors and related vendor relationships. See Subscribing to Changes below for notification and objection procedures.
Authgear-operated Sub-Processors (GDPR Article 28)
The vendors in the table below Process End User Personal Data on Customer's behalf in connection with the Authgear Services and therefore qualify as Sub-processors under Article 28 of the EU GDPR and the equivalent provisions of the UK GDPR.
| Sub-Processor | Entity | Region | Purpose | Personal Data |
|---|---|---|---|---|
| Google Cloud Platform | Google LLC | Global GCP regions | Cloud hosting and infrastructure (compute, managed databases, object storage, networking) | All End User Personal Data processed by the Services |
| Postmark | ActiveCampaign, LLC | United States | Transactional email delivery for the Authgear Developer Portal (account invitations, password resets, billing and security notifications) | Recipient email address; message content |
| Stripe | Stripe, Inc. | United States | Subscription billing and payment processing for the Authgear Developer Portal (Customer billing only) | Customer billing contact details; payment-card data (stored by Stripe, not by Authgear) |
| Sentry | Functional Software, Inc. d/b/a Sentry | United States | Application error and exception monitoring across the Authgear Services and Portal | Error and stack-trace data; may incidentally contain limited Personal Data from request context |
| PostHog | PostHog, Inc. | United States | Product analytics on Customer admin activity within the Authgear Developer Portal | Customer admin event data; project metadata. Tracks Customer administrators only; does not capture End User Personal Data of Customer applications. |
| Google Analytics / Google Tag Manager | Google LLC | United States | Web analytics for the Authgear Developer Portal (portal.authgear.com only) | Portal usage events; Customer admin browser-side analytics, governed by the Privacy Policy |
Other Vendor Relationships
The vendors in the table below support Authgear's own business operations (sales, marketing, compliance, status communications, internal collaboration). They process Authgear's own data, and in some cases may incidentally process Customer administrator contact details (for example, when a Customer admin emails Authgear support or signs up for the Authgear newsletter). They do not Process Customer End User Personal Data on Customer's behalf and are therefore not Sub-processors within the meaning of Article 28 GDPR. They are listed here for transparency.
| Vendor | Entity | Region | Purpose | Data |
|---|---|---|---|---|
| Google Workspace | Google LLC | United States | Corporate email, file storage, and internal collaboration (the mailbox behind hello@authgear.com and Authgear's internal documents) | Inbound and outbound email content, including any Customer admin support correspondence; internal documents |
| MailerLite | MailerLite Limited | Ireland | Marketing mailing list and newsletter delivery | Email address and (where provided) name of opt-in newsletter subscribers; engagement metadata |
| Calendly | Calendly, LLC | United States | Sales-demo scheduling for the Schedule a demo flow | Prospect or Customer admin name, email, company, time zone, meeting time, and any answers provided in the booking form |
| Sprinto | Sprinto, Inc. | United States (with operations in India) | Compliance-program automation for maintaining ISO/IEC 27001 and SOC 2 Type II | Employee names and access reviews; system inventory; compliance evidence metadata. No Customer End User Personal Data. |
Customer-configured Integrations (not Authgear Sub-Processors)
Customers may, at their option, configure the Authgear Services to interact with third-party providers using credentials and accounts that the Customer owns and controls. Authgear is not a Sub-processor for these integrations; the Customer selects the provider, controls the data flow, and is responsible for entering into appropriate data-protection arrangements directly with the provider.
Categories include:
- SMTP providers (any) for Customer-sent verification, password-reset, and notification emails to End Users
- SMS providers — Twilio, Nexmo/Vonage, or any HTTP-callable custom gateway
- WhatsApp Cloud API (Meta Platforms) for WhatsApp OTP delivery
- Bot-protection providers — Google reCAPTCHA v2 and Cloudflare Turnstile
- Customer-controlled cloud storage (AWS S3, Google Cloud Storage, Azure Blob Storage, Alibaba Cloud OSS) for user export and asset storage
- Identity providers / OIDC and SAML connectors (e.g., Google, Microsoft, Apple, GitHub, Customer-operated identity providers) as configured by the Customer
Subscribing to Changes
Authgear publishes proposed Sub-processor additions or replacements on this page at least thirty (30) days before the change takes effect, unless an earlier engagement is required for security or business-continuity reasons. To receive email notifications when this list changes, please write to hello@authgear.com with the subject line "Subscribe to sub-processor updates". Objections on reasonable data-protection grounds may be raised in accordance with Section 6 of the Data Processing Addendum.
Start building with Authgear
