Last updated: March 1, 2026
OpenHospi uses the following third-party processors for the processing of personal data. All processors are located within the EU/EEA. No personal data is transferred outside the European Economic Area.
| Role | Processor: database hosting (PostgreSQL) and file storage (profile photos, room photos) |
| Location | Dublin, Ireland (eu-west-1) |
| Data processed | All personal data stored in the database, uploaded photos |
| Data processing agreement | Data processing agreement pursuant to Art. 28 GDPR in place (Supabase Data Processing Agreement) |
| Security | Encryption at rest and in transit, SOC 2 Type II certified |
| Role | Processor: web application hosting, serverless functions, edge network |
| Location | Dublin, Ireland (eu-west-1) |
| Data processed | HTTP requests (IP address, user agent) in server logs |
| Data processing agreement | Data processing agreement pursuant to Art. 28 GDPR in place (Vercel Data Processing Addendum) |
| Security | Automatic HTTPS, DDoS protection, SOC 2 Type II certified |
| Role | Processor: Redis database for rate limiting and abuse prevention |
| Location | Ireland (AWS eu-west-1) |
| Data processed | Anonymised rate limit counters (user ID hashes). No personal data stored |
| Data processing agreement | Data processing agreement pursuant to Art. 28 GDPR in place (Upstash DPA) |
| Security | Encryption at rest and in transit |
| Role | Processor: crash reporting and error monitoring |
| Location | Frankfurt, Germany (eu-central-1) |
| Data processed | Error events, stack traces, device model, OS version, app version. No personal data: sendDefaultPii disabled, IP stripping enabled, no session replay, no user tracking |
| Data processing agreement | Data processing agreement pursuant to Art. 28 GDPR in place, with Standard Contractual Clauses (SCCs) |
| Retention | 90 days |
| Security | Encryption at rest and in transit. Sentry's internal organisational metadata (developer accounts, project configs (no end-user data)) may be replicated to the US per Sentry's infrastructure |
| Role | Processor: mobile app builds, over-the-air (OTA) updates, and app distribution |
| Location | United States (Google Cloud Platform). Build servers process only app source code and produce binaries. No personal end-user data is involved |
| Data processed | App source code, JavaScript bundles, build metadata. No personal data collected from end users |
| Data processing agreement | Expo Terms of Service and Privacy Policy apply. Expo complies with the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs) for international transfers |
| GDPR relevance | No personal end-user data is transferred to or processed on EAS build servers. Only app source code and bundles are processed. Expo's international transfer safeguards (EU-US DPF, SCCs) provide additional protection per Art. 45-46 GDPR |
| Security | Signed updates, HTTPS-only delivery, code signing for OTA updates |