Subprocessors
Who else touches your data. Short list by design.
Subprocessor list (as of 2026-04-22)
| Subprocessor | Role | Data types | Location | Transfer mechanism |
|---|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers), database (D1), KV, Pages hosting | All operational data: interactions, orgs, audit_log, rate_limits | Global edge, D1 primary in North America | SCCs |
| Sentry (Functional Software, Inc.) | Error tracking (customer opt-in only) | Stack traces, request metadata. Never request bodies, never keys | US | SCCs |
Cloudflare is the sole processor by default
If a customer does not opt into Sentry, Cloudflare is the only subprocessor. This is intentional, to keep the compliance surface small.
Change notification
COHESION notifies existing customers 30 days before adding a new subprocessor. Enterprise customers may object and, if not resolvable, terminate.
Security posture inherited from Cloudflare
- SOC 2 Type II, ISO 27001, ISO 27701, PCI DSS 3.2.1, GDPR, CCPA.
- TLS 1.3 in transit by default.
- D1 encryption at rest.