Subprocessors
Third parties that process customer personal data on behalf of Guard.ch.
Introduction and scope
A subprocessor is a third party engaged by Guard.ch (operated by Zesiger.net) to process personal data on our behalf in order to deliver the service. This register identifies each such party, its role, the categories of personal data it processes, the location of the processing and the transfer safeguard that authorises it.
For investigation content, Guard.ch acts as a processor on the customer's documented instructions, and the vendors that touch that content (durable storage, edge capture nodes, the AI analysis providers) are subprocessors within the meaning of Article 28(2) and (4) GDPR. For account, billing, security and platform data, Guard.ch acts as a controller, and the corresponding vendors are our processors. Both categories are listed in this register for transparency, in the same format. The role split between processor and controller activities is set out in Section 6.1 of the Privacy Policy.
This page is the public register referenced by our Data Processing Agreement. Where this register and the Data Processing Agreement conflict on a material point, the Data Processing Agreement prevails for the contracting customer.
Change notification
We update this register at least thirty (30) days before adding or replacing a subprocessor that processes customer personal data, so that customers can review the change and object before it takes effect. Changes that do not affect how customer personal data is processed, stored or transferred (for example a vendor's corporate rename, an address update, or the removal of a vendor) are reflected on the next routine update without the notice period.
Customers and prospects can subscribe to written change notifications by sending the word "subscribe" to [email protected]. The mailing list is used only for subprocessor and legal-document notices; you can unsubscribe at any time by replying with "unsubscribe".
Infrastructure and hosting
All durable customer data, including investigation captures, the production database and backups, lives in a single primary region: Hetzner's Helsinki facility in Finland (EEA). There is no durable copy of a capture anywhere else and no multi-region replication. Edge nodes in Singapore, Salt Lake City and Beauharnois run the isolated investigation containers and stream them to the user over WebRTC; capture artefacts exist on an edge node only inside the container's writable layer for the duration of the investigation and the upload to Helsinki, after which the container and its writable layer are destroyed.
The edge nodes are dedicated servers rented from the data-centre providers listed below for each location. Provider legal terms and transfer-impact details are available to customers on written request to [email protected].
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Durable hosting: the production database, S3-compatible object storage for investigation captures, account records and billing artefacts, and encrypted backups. | All durable customer personal data: account data, payment metadata, investigation captures, logs and backups. | Helsinki, Finland (EEA). Entity seat: Gunzenhausen, Germany. | Processing inside the EEA; the GDPR applies directly, and under Swiss data protection law the EEA is recognised as adequate, so no additional transfer mechanism is required. Hetzner data processing agreement in place. |
| OVHcloud (OVH Singapore PTE Ltd) | Hosts the edge node that runs isolated investigation containers and WebRTC streaming for investigations served from Asia Pacific. | Ephemeral capture artefacts (display recording, event log, metadata) inside the investigation container, for the duration of the investigation and the upload to Helsinki. No customer data at rest between investigations. | Singapore. OVHcloud publishes Singapore as an Asia-Pacific dedicated-server region. | Singapore holds no EU or Swiss adequacy decision. OVHcloud data processing terms, EU Standard Contractual Clauses (processor-to-processor module) and the Swiss FDPIC-recognised equivalent, plus encryption in transit (TLS 1.3, DTLS-SRTP) for the analyst stream and the artefact upload. |
| FiberState, LLC | Hosts the edge node that runs isolated investigation containers and WebRTC streaming for investigations served from North America. | Ephemeral capture artefacts (display recording, event log, metadata) inside the investigation container, for the duration of the investigation and the upload to Helsinki. No customer data at rest between investigations. | Salt Lake City, Utah, United States. Entity address published by FiberState: 106 East 13200 South, Draper, UT 84020, United States. | FiberState is not certified under the EU-US Data Privacy Framework. EU Standard Contractual Clauses (processor-to-processor module) and the Swiss FDPIC-recognised equivalent, a transfer impact assessment on file, and encryption in transit. |
| OVHcloud (OVH Hebergement INC) | Hosts the edge node that runs isolated investigation containers and WebRTC streaming for investigations served from North America. | Ephemeral capture artefacts (display recording, event log, metadata) inside the investigation container, for the duration of the investigation and the upload to Helsinki. No customer data at rest between investigations. | Beauharnois, Quebec, Canada. OVHcloud publishes Beauharnois as a North America dedicated-server region. | Canada's commercial sector (PIPEDA) is recognised as adequate by the European Commission (Decision 2002/2/EC) and by Switzerland. OVHcloud data processing terms, EU Standard Contractual Clauses and the Swiss equivalent are additionally in place. |
Network, frontend delivery and bot protection
Cloudflare provides DNS for guard.ch and serves the guard.ch web frontend from its edge network. Backend API requests from the dashboard are served from our own origin infrastructure, and investigation capture content (recordings and replay artefacts) is served from the Helsinki origin; Cloudflare's role is limited to DNS, delivery of the web frontend and Turnstile. Cloudflare Turnstile runs on the registration, sign-in, email-code verification, password reset and investigation launcher forms to mitigate automated abuse.
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| Cloudflare, Inc. (DNS and frontend delivery) | Authoritative DNS for guard.ch and delivery of the guard.ch web frontend (marketing site and dashboard application) from Cloudflare's edge, including TLS termination on those routes. | Visitor IP address, user agent and request metadata for requests to the guard.ch frontend. Backend API requests and investigation capture content are served from our own origin infrastructure in the hosting locations listed in this register; Cloudflare's role is limited to DNS, delivery of the web frontend and Turnstile. | Entity seat: San Francisco, California, United States. Global anycast edge. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent under the Cloudflare data processing agreement operate as a fallback. |
| Cloudflare, Inc. (Turnstile) | Managed bot challenges on the registration, sign-in, email-code verification, password reset and investigation launcher (/start) forms. | IP address, user agent and interaction signals for the duration of the challenge, plus a per-request site token. No account content or capture content. | Entity seat: San Francisco, California, United States. Global anycast edge. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent operate as a fallback. |
Identity and authentication
Guard.ch supports passkeys, email-and-password sign-in and federated sign-in with Google or Microsoft. Federated providers receive data only when the user actively chooses that sign-in method; users who sign in with a passkey or email and password cause no data to flow to the providers below. When acting as identity providers, Google and Microsoft also process the sign-in event under their own terms as independent controllers of their respective identity services; they are listed here for transparency.
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| Google LLC (Sign in with Google) | OAuth 2.0 identity assertion when a user chooses Sign in with Google. Google returns the user's verified email address, name and profile picture URL, which Guard.ch uses to provision or look up the account. | OAuth identifiers and the basic profile fields above. Data flows only when the user actively selects this sign-in method. | Mountain View, California, United States. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent operate as a fallback. |
| Microsoft Corporation (Sign in with Microsoft) | OAuth 2.0 / OpenID Connect identity assertion against Microsoft Entra ID when a user chooses Sign in with Microsoft. Microsoft returns the user's verified email address, display name and tenant identifier. | OAuth and SSO identifiers and the basic profile fields above. Data flows only when the user actively selects this sign-in method. | Redmond, Washington, United States. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); the Microsoft Products and Services Data Protection Addendum with EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent operates as a fallback. |
Payments
Stripe processes payments for Guard.ch subscriptions. Guard.ch contracts with Stripe Payments Europe, Ltd.; processing may also involve Stripe, Inc. and other Stripe group entities under Stripe's data processing agreement. Guard.ch never receives or stores full card numbers: the payment method is tokenised at Stripe, and only the token, card brand and last four digits are stored in our billing records. For certain activities, such as fraud monitoring and its own regulatory compliance, Stripe acts as an independent controller as described in Stripe's own privacy documentation.
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing for Guard.ch subscriptions: checkout, subscription billing, invoices, refunds and dispute handling. Stripe Payments Europe, Ltd. is the Stripe entity Guard.ch contracts with. | Billing name and address, email address, payment method tokens and transaction records. Card numbers stay within Stripe's PCI DSS scope; Guard.ch never receives or stores the primary account number. | Dublin, Ireland (EEA). | Processing inside the EEA under the GDPR. Stripe data processing agreement in place. |
| Stripe, Inc. | Stripe group processing in the United States, including processing connected to customers billed outside the EEA, the United Kingdom and Switzerland, and Stripe's payment, risk and fraud-prevention infrastructure. | The same billing and transaction data categories as above, to the extent Stripe routes them to its US infrastructure. | South San Francisco, California, United States. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent under the Stripe data processing agreement operate as a fallback. |
Communications
Outbound transactional email (account verification codes, one-time sign-in codes, contact-form confirmations and similar account and service notices) is sent from [email protected], the shared transactional mail address of the browser.lol and guard.ch platform, through the Google Workspace SMTP relay. Investigation capture content is never included in transactional email.
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| Google Ireland Limited (Google Workspace, Gmail) | Outbound transactional email: account verification codes, one-time sign-in codes, contact-form confirmations and similar account and service notices, sent from [email protected] (the shared transactional mail address of the browser.lol and guard.ch platform) through the Google Workspace SMTP relay. Payment receipts and invoices are sent by Stripe, not through this relay. | Recipient email address and the content of the transactional message. | Dublin, Ireland (EEA). Mail data may be processed by Google LLC in the United States. | Google Workspace Data Processing Amendment. For processing by Google LLC in the US: certification under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list), with EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent as a fallback. |
Analysis and AI services
Guard.ch uses third-party analysis services for narrowly scoped purposes: large language model inference for the AI analysis and summarisation features of an investigation, hostname reputation lookups that feed the automated verdict, and anomaly detection over aggregated operational logs. Among these providers, only OpenRouter (together with the inference provider it routes a given request to) receives user-submitted investigation content. Google Web Risk receives the checked hostnames only, and OpenAI receives aggregated operational telemetry only and never receives capture content.
| Provider | Role and purpose | Data categories | Location | Transfer safeguard |
|---|---|---|---|---|
| OpenRouter, Inc. | Large language model inference for the AI analysis and summarisation features of an investigation, when those features run. OpenRouter is an API gateway: it forwards each request to the inference provider serving the model we have configured, and that provider processes the request as OpenRouter's sub-subprocessor. | Investigation-derived content submitted to the AI feature (for example extracted page text, capture signals and the prompts and responses involved). Account credentials are not transmitted. This is the only channel through which user-submitted investigation content reaches an AI provider. | United States (OpenRouter). The location of the routed inference provider depends on the model configured at the time of the request. | OpenRouter is not certified under the EU-US Data Privacy Framework. The EU Standard Contractual Clauses (2021/914) and the Swiss FDPIC-recognised equivalent are the applicable transfer mechanism, consistent with Section 9 of the Privacy Policy. Retention and training behaviour at the routed inference provider is governed by the per-provider data policies OpenRouter publishes. |
| Google LLC (Web Risk) | Hostname reputation lookup: the hostnames resolved during an investigation are checked against Google's Web Risk threat lists as one signal feeding the automated verdict. | The hostnames checked during an investigation. No URL paths or query strings, no account data and no other capture content. | Mountain View, California, United States. | Certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list); EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent operate as a fallback. |
| OpenAI OpCo, LLC | Automated anomaly detection over aggregated server-side operational logs (spikes, regressions, error patterns). | Aggregated log lines and pseudonymous identifiers only. Investigation capture content and user-submitted content are never sent to this provider. | San Francisco, California, United States. | OpenAI data processing agreement; certified under the EU-US Data Privacy Framework and the Swiss-US extension (see the official DPF list), with EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent as a fallback. API traffic is excluded from model training by contract. |
Reference data sources (not subprocessors)
The enrichment shown in an investigation (IP geolocation, ASN data, network metadata, threat and tracker classifications, domain popularity) is produced from reference datasets that we license or obtain from public sources, download on a schedule, and query inside our own database. These providers supply data to us; they do not receive or process customer personal data and are therefore not subprocessors. They currently include MaxMind (GeoLite2 City and ASN), PeeringDB (via CAIDA snapshots), abuse.ch (Feodo Tracker, ThreatFox, URLhaus) and the Tranco list.
Two runtime lookups leave our infrastructure during an investigation: whois/RDAP queries for the registrable domain of the investigated URL, which are sent to the public directory services of the responsible registry or registrar, and the Google Web Risk lookup listed in the analysis section above. The whois/RDAP queries disclose only the investigated domain name to public directory infrastructure and are not subprocessing under a contract with Guard.ch.
International transfers
Guard.ch is operated from Switzerland. Switzerland is recognised as adequate by the European Commission and under the UK adequacy regulations, so personal data can move between the EEA, the UK and our Swiss establishment without additional transfer safeguards. Durable customer data stays in the EEA (Hetzner, Helsinki); only the ephemeral edge processing and the specific vendor services listed above involve processing outside the EEA and Switzerland.
For US vendors that are certified under the EU-US Data Privacy Framework and the Swiss-US extension, as identified per vendor in this register against the official DPF list, that certification is the primary transfer mechanism and the EU Standard Contractual Clauses operate as a fallback. For all other transfers outside the EEA, Switzerland and the UK, the EU Standard Contractual Clauses (2021/914) and the Swiss FDPIC-recognised equivalent are the baseline mechanism, supplemented by the European Commission's adequacy decision for the Canadian commercial sector (PIPEDA) for the Beauharnois edge location. Where the UK GDPR applies to an onward transfer, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses is used where required. Guard.ch itself is a Swiss entity and is not, and cannot be, certified under the Data Privacy Framework; we do not claim otherwise.
We maintain transfer impact assessments for the non-EEA destinations and make a copy (redacted where necessary) available to customers on written request to [email protected]. The canonical description of our transfer posture is Section 9 of the Privacy Policy.
Customer objections
Customers may object to the engagement of a new or replacement subprocessor on reasonable data protection grounds (for example a documented incompatibility with the customer's own regulatory regime). Objections must be sent in writing to [email protected] within fourteen (14) days of the change notification, and in any event before the announced change takes effect.
On receipt we will work with the customer in good faith to find a workable alternative. If no alternative can reasonably be agreed before the change takes effect, the customer may terminate the affected portion of the service without penalty and receive a pro-rata refund of prepaid fees for the unused term, consistent with the Terms of Service and the Data Processing Agreement.
Contact
Questions about this register, requests for the underlying data processing agreements or transfer impact assessments, subscription requests and objections all go to [email protected]. Postal mail reaches Zesiger.net at the address published in the Imprint.