This page lists the third-party providers ("Subprocessors") that Turbo Technologies Ltd, trading as RepoWarden, uses to deliver the RepoWarden service. We only engage Subprocessors that meet our security and data-protection requirements, and we impose contractual obligations on them no less protective than those in our Data Processing Agreement.
We give at least 30 days' notice of any addition or replacement of a Subprocessor by updating this page. Customers who wish to be notified by email may opt in at privacy@repowarden.dev.
Infrastructure and hosting
Cloudflare, Inc.
- Purpose
- Application hosting, serverless edge compute, managed SQL database, key-value storage, static site hosting, CDN, WAF, DDoS protection, analytics.
- Data processed
- All customer account data, repository metadata, scan logs, encrypted OAuth tokens, request logs.
- Location
- Global edge network; control plane in the United States.
- Compliance / transfer
- Cloudflare DPA incorporating EU SCCs and UK IDTA. ISO 27001, ISO 27018, SOC 2 Type II, PCI-DSS, FedRAMP Moderate.
- DPA
- https://www.cloudflare.com/cloudflare-customer-dpa/
AI / LLM
Anthropic, PBC
- Purpose
- Large-language-model inference used to generate pull-request titles, descriptions, risk summaries, test scaffolding, and code suggestions.
- Data processed
- Snippets of manifest/lock files, code diffs, commit messages, and issue/PR text from connected repositories. No OAuth tokens or billing data. Anthropic operates a zero-retention API.
- Location
- United States.
- Compliance / transfer
- Anthropic DPA incorporating EU SCCs and UK IDTA. SOC 2 Type II.
- DPA
- https://www.anthropic.com/legal/dpa
Payments
Stripe, Inc. / Stripe Payments UK, Ltd / Stripe Payments Europe, Ltd
- Purpose
- Payment processing, subscription management, invoicing, tax calculation.
- Data processed
- Billing email, Stripe customer ID, subscription status, invoice metadata. Card details are entered directly into Stripe Checkout and never touch RepoWarden's systems.
- Location
- UK contracting entity for UK customers; EU contracting entity for EEA customers; United States for global operations.
- Compliance / transfer
- Stripe DPA incorporating EU SCCs and UK IDTA. PCI-DSS Level 1, SOC 1/SOC 2 Type II, ISO 27001.
- DPA
- https://stripe.com/legal/dpa
Source-control integration
GitHub, Inc.
- Purpose
- OAuth-based authentication, read/write access to repositories the customer has connected, webhook events for PR and commit activity.
- Data processed
- GitHub account identifiers, email address, repository contents accessed under the customer's OAuth grant, webhook payloads.
- Location
- United States.
- Compliance / transfer
- GitHub DPA incorporating EU SCCs and UK IDTA. ISO 27001, SOC 1/SOC 2 Type II.
- DPA
- https://docs.github.com/en/site-policy/privacy-policies/global-privacy-practices
Product analytics
PostHog Inc.
- Purpose
- Product analytics — feature usage, funnels, aggregate usage trends.
- Data processed
- Pseudonymous event data, feature-flag evaluations, coarse IP-derived geography, user agent. Set only if the user accepts analytics cookies.
- Location
- EU Cloud region (Frankfurt, Germany) where configured; fallback to US region.
- Compliance / transfer
- PostHog DPA incorporating EU SCCs and UK IDTA. SOC 2 Type II, ISO 27001, HIPAA.
- DPA
- https://posthog.com/dpa
Error and performance monitoring
Functional Software, Inc. (Sentry)
- Purpose
- Error, exception, and performance monitoring for the web and worker applications.
- Data processed
- Stack traces, request metadata (secrets stripped), pseudonymous user ID, browser/environment info. PII scrubbing enabled by default.
- Location
- United States.
- Compliance / transfer
- Sentry DPA incorporating EU SCCs and UK IDTA. SOC 2 Type II, ISO 27001, HIPAA.
- DPA
- https://sentry.io/legal/dpa/
Previously used Subprocessors
None at this time.
Notification of changes
We update this page whenever we add, remove, or replace a Subprocessor, and retain an archived version showing the state at each change. Subscribe to email notifications by writing to privacy@repowarden.dev.