Last updated: February 16, 2026
Sub-processors
This live list covers third parties that process Customer Personal Data to deliver Zentrik's services. This page is informational. Contractual commitments are in the Order Form, Terms, and any executed DPA.
Notice and changes
We notify customers of intended additions or replacements by email or in-product notice. The change is effective upon notice. Customers may object on reasonable, documented privacy or security grounds within 10 days. In urgent cases required for security, continuity, or bug fixes, we may engage a Sub-processor immediately and will provide notice without undue delay.
Security: security@zentrik.ai | Privacy: privacy@zentrik.ai
Current Sub-processors
| Sub-processor | Purpose | Data handled | Region | Transfer mechanism |
|---|---|---|---|---|
| Fly.io, Inc. | Application hosting and managed Postgres | All Workspace Data | mad (EU), sjc (US) | Standard transfer terms may be executed on request where applicable |
| Amazon Web Services, Inc. (S3) | Object storage for attachments | File attachments and related metadata | us-east-2 (US) | Standard transfer terms may be executed on request where applicable |
| Sentry.io, Inc. | Error monitoring and performance diagnostics | Error metadata and operational diagnostics | United States | Standard transfer terms may be executed on request where applicable |
| Google LLC (Analytics, Tag Manager, OAuth, reCAPTCHA, Gmail SMTP, Gemini if enabled) | Analytics telemetry (loads after consent where required), authentication, bot protection, email delivery, optional AI | IP/device/browser telemetry, SSO assertions, email metadata/content; prompt/context only if Gemini is enabled | United States | Standard transfer terms may be executed on request where applicable |
| OpenAI, L.L.C. | AI text generation and processing (API) | Prompt text and contextual project content supplied by Customer | United States (provider-dependent) | Standard transfer terms may be executed on request where applicable |
| Anthropic PBC | AI text generation and processing (API) | Prompt text and contextual content supplied by Customer | United States (provider-dependent) | Standard transfer terms may be executed on request where applicable |
| PostHog, Inc. | Product analytics and usage telemetry | IP address, device/OS, browser, timestamps, event metadata, and account identifiers (for example, user ID and email) for authenticated product users | United States | Standard transfer terms may be executed on request where applicable |
| Slack Technologies, LLC | Support communications | Names, contact details, and support interaction content | United States | Standard transfer terms may be executed on request where applicable |
Notes
- Gemini is disabled by default and used only if explicitly enabled.
- No customer content is intentionally sent to analytics.
- Customer-enabled integrations (for example, Jira) are initiated and controlled by the customer and are not Zentrik Sub-processors by default.
Change management and remedies
If a customer objects and the parties cannot resolve the objection, the customer may suspend the affected processing or terminate the impacted services, and Zentrik will provide a pro-rata refund of prepaid fees for the terminated portion.
Data handling references
- Data residency: primary hosting on Fly.io sjc (US); attachments on AWS S3 us-east-2 (US).
- Retention: encrypted nightly snapshots retained 5 days on a rolling basis and purged by rotation.
Recent changes
- February 16, 2026: Updated analytics data-handling detail for authenticated users.
- February 5, 2026: Updated notice, transfer, and retention language to align with the DPA.
Questions
For privacy or security questions, contact privacy@zentrik.ai or security@zentrik.ai.
Related legal pages
Review the complete legal set for contractual, privacy, and security context.
Company legal contact
Zentrik Company
490 Post St, Ste 500, PMB 2017
San Francisco, CA 94102, USA
Legal: legal@zentrik.ai | Privacy: privacy@zentrik.ai | Security: security@zentrik.ai