HandbookHub – Sub‑processor Guidelines and List

Effective Date: 2025-10-22

Website: https://handbookhub.com

Our Approach to Sub‑processors

We engage carefully selected third parties ("sub‑processors") to help us operate HandbookHub. We follow these principles:

  1. Data Minimization: Each sub‑processor only receives the minimum data necessary to perform its function.
  2. Security and Compliance: We assess security controls, availability, and compliance posture. Data is encrypted in transit and at rest where applicable.
  3. Contracts and DPAs: We execute Data Processing Agreements (DPAs) and ensure appropriate transfer mechanisms for international data flows.
  4. Least‑Privilege Access: Access to production data is restricted to services and personnel who require it.
  5. Transparency and Updates: We maintain this page and provide reasonable advance notice of material changes when required.

Notification of Changes

We will update this page when we add or replace sub‑processors. For material changes, we aim to notify affected customers at least 30 days in advance via in‑app notice or email (where appropriate). Continued use after the notice period constitutes acceptance of the change.

Current Sub‑processors and Purposes

  • Hetzner (EU) – Hosting and infrastructure (application servers, databases).
  • MongoDB (self‑managed on Hetzner) or managed equivalent – Database storage for application data.
  • PostHog – Product analytics (opt‑in, pseudonymous usage metrics).
  • Crisp – Customer support chat (messages you send us).
  • OpenAI / compatible LLM providers – AI features (embeddings, content generation, autocomplete).
  • Slack (optional integration) – Message and command delivery between your workspace and HandbookHub.
  • Mailgun – Transactional email (OTP/login and notifications).
  • Google (OAuth) – Optional sign‑in/authentication.
  • Polar – Subscription management and billing.

We may also use ancillary providers (e.g., CDN, error monitoring) from time to time. Such providers are subject to the same vetting and contractual requirements.

Data Retention and Deletion (Integration‑specific)

For integrations such as Slack, we retain only what is necessary to operate the integration. OAuth tokens are stored encrypted and removed within 24 hours of uninstall; related installation metadata is purged within 30 days. Command text is processed transiently to produce answers and not persisted as message content. See our Privacy Policy for general retention.

Contact

Questions about our sub‑processors or to request a copy of our DPA: support@handbookhub.com