Last updated: April 2026
Under the GDPR (Art. 28), data controllers who use VibeDeploy to host or process personal data are entitled to know which third parties Serso BV (operating as “VibeDeploy”) engages to process that data on their behalf. The list below enumerates every current subprocessor, what they do, and where they are located. It is kept current — when we add, remove, or replace a subprocessor, this page is updated and Business / Ultimate customers receive notice at the email on file so they can object in line with Art. 28(2).
Questions about any entry below — or objections under Art. 28(2) — can be addressed to privacy@vibedeploy.be.
| Entity & location | Purpose | Data categories shared | Legal / Terms |
|---|---|---|---|
Mollie B.V. Netherlands (EU) | Payment processing, invoice generation, recurring subscriptions. | Email, name, billing address, VAT number, payment-method metadata (last 4 digits, card brand). Full card data never reaches VibeDeploy. | Privacy / DPA Website |
OpenRouter, Inc. United States (Standard Contractual Clauses) | AI model routing for the AI site builder. | User prompts, generated content, token usage metadata. Requests are tagged so downstream LLM providers can't retain them for training (see OpenRouter data-retention settings). | Privacy / DPA Website |
Gandi SAS France (EU) | Domain registration and renewal on behalf of customers who purchase domains via VibeDeploy. | WHOIS registrant details: name, email, phone, postal address, VAT number (business customers). | Privacy / DPA Website |
Google Stitch United States (Standard Contractual Clauses) | AI-assisted design generation inside the AI site builder. | Prompts and design parameters. Output images/layouts are stored with the user's site. | Privacy / DPA Website |
Backblaze Inc. United States — storage in EU; Standard Contractual Clauses | Offsite encrypted backups of the VibeDeploy platform database (customer account metadata only — no site content). | Encrypted database dumps. Stored in EU region (eu-central-003, Amsterdam). | Privacy / DPA Website |
Cloudflare, Inc. United States — Standard Contractual Clauses | DNS resolution (outbound) for domain verification checks only. VibeDeploy does NOT currently use Cloudflare as a CDN or proxy. | Domain names being verified. No user data is shared beyond what's already public in the DNS. | Privacy / DPA Website |
Google Public DNS United States — Standard Contractual Clauses | Fallback DNS resolver used alongside Cloudflare for domain verification. | Domain names being verified. No user data. | Privacy / DPA Website |
SMTP provider (self-hosted by default) Depends on configuration — check the current Admin › SMTP settings. Self-hosted MTA located in Belgium (EU) in the default deployment. | Transactional email delivery (verification, password reset, billing receipts, team invites). | Recipient email address, email subject/body as rendered. | — |
Infrastructure that processes VibeDeploy's own operational data only — for example, the Belgian on-premises Kubernetes cluster and its storage — is operated directly by Serso BV and is not a subprocessor in the Art. 28 sense. Similarly, data processors you as a customer integrate with via environment variables or your own code (for example an analytics tool you embed on a deployed site) are your own processors, not VibeDeploy's.
We notify paying customers by email at least 14 days before any new subprocessor begins processing their data so they can object under Art. 28(2). If you object, we work with you to find an alternative or, if none is feasible, to terminate the affected service with a pro-rata refund.