Trust &
transparency.
Trust must be earned through transparency, not marketing claims. This page documents exactly where your data goes, who processes it, and how we protect it.
Data residency.
All data is stored and processed exclusively in Nuremberg, Germany.
- Hosting provider
- Netcup GmbH, Nuremberg, Germany
- Data center
- Nuremberg, Bavaria, Germany
- Legal jurisdiction
- German law and EU regulations exclusively
- Transatlantic transfers
- None for monitoring data (payments via Polar.sh in USA, see below)
Legal status.
FoundersDeck is operated under German and EU law exclusively. We are:
- Not subject to the US CLOUD Act
- Not subject to FISA Section 702
- Not subject to any non-EU government data access legislation
- Not owned or controlled by any US parent company or VC fund
This means no foreign government can compel us to disclose your data through legal mechanisms that bypass EU protections.
Sub-processor register.
Under GDPR Article 28, we maintain a complete list of all sub-processors involved in delivering FoundersDeck. We notify customers of any changes at least 30 days in advance.
| Provider | Purpose | Location | Legal basis |
|---|---|---|---|
| Netcup GmbH | Server hosting, database | Nuremberg, Germany | DPA |
| Scaleway SAS | Transactional email (TEM) | Paris, France | DPA |
| Cloudflare, Inc. | DNS resolution only | USA (no customer data processed) | DPA + SCCs |
| Polar.sh | Merchant of Record (payments, invoicing, tax) | USA * | DPA + SCCs |
- 2026-04-13 — Corrected Polar.sh location from EU to USA. Added transparency note about interim payment provider status.
- 2026-04-08 — Replaced Resend (US) with Scaleway TEM (France) for transactional email. Added Cloudflare clarification (DNS only, no customer data).
- 2026-03-25 — Initial sub-processor list published.
* About Polar.sh (Merchant of Record). Polar.sh acts as our Merchant of Record — they handle all payment processing, invoicing, and tax compliance. FoundersDeck never stores credit card numbers, billing addresses, or payment credentials. Your payment data is processed entirely by Polar.sh and never touches our servers. Polar.sh is currently based in the USA. We use them because there is no comparable EU-based Merchant of Record that meets our technical requirements today. As soon as a suitable EU alternative becomes available, we will switch. This is a conscious interim decision, not a permanent trade-off.
About Cloudflare (DNS only). Cloudflare provides DNS resolution for our domain. No customer data, monitoring data, or account information is processed through Cloudflare. All application traffic flows directly to our Netcup servers in Nuremberg — Cloudflare is not used as a proxy, CDN, or WAF.
Data Processing Agreement.
If you process personal data through FoundersDeck, a DPA is required under GDPR Article 28. Our DPA is published and automatically entered into when you accept our Terms of Service — no sales call, no email, no waiting.
The DPA covers all data processing activities within FoundersDeck, including monitoring checks, incident detection, alerting and status-page rendering. It includes the complete sub-processor list above and Art. 28 GDPR processor obligations.
Data flow.
Here is exactly what happens with your data at each step:
Monitor checks
Our server in Nuremberg sends HTTP/Ping requests to your monitored URLs. The response status, response time, and any error information is stored in our PostgreSQL database — also in Nuremberg. No data leaves Germany.
Alerting
When an incident is detected, alerts are dispatched based on your configured channels. Email alerts go through Scaleway TEM. Slack / Discord / Webhook alerts go directly to the endpoint you specified. Alert content contains only your monitor name, status, and timestamp.
Status pages
Public status pages are rendered server-side in Nuremberg and served with zero cookies, zero tracking scripts, and zero third-party requests. Visitor browsers connect only to our German server.
Payments
All payment processing is handled by Polar.sh as Merchant of Record. FoundersDeck never stores credit card numbers or payment credentials. Polar.sh handles billing, invoicing, and tax compliance.
Your GDPR rights.
- Art. 15
- Right of access — request a copy of all personal data we hold about you.
- Art. 16
- Right to rectification — correct inaccurate personal data at any time through your account settings.
- Art. 17
- Right to erasure — delete your account and all associated data. Automated, no support ticket required.
- Art. 20
- Right to data portability — export all your monitoring data, incident history, and configuration in open formats (JSON, CSV).
- Art. 21
- Right to object — object to processing of your personal data at any time.
Evaluating other providers? We maintain a side-by-side comparison of GDPR-compliant monitoring platforms — covering hosting location, legal entity, and CLOUD Act exposure for eight EU-native tools (and the three most common US-incorporated alternatives for contrast).
Questions about our data practices, sub-processor list, or your GDPR rights? Write to info@foundersdeck.dev — direct founder reply, no support queue.