Legal
Subprocessors
The categories of third-party service providers Fokal uses to operate. A specific vendor-level list is available to customers on request under NDA.
Categories of subprocessors
Infrastructure (hosting, database, CDN, security)
- Purpose: Host the Fokal application and store customer data; deliver static assets globally; defend against denial-of-service and other web attacks.
- Primary processing location: Australia (Sydney) for the primary application database; global edge for CDN and protection layers.
- Safeguards: Data Processing Agreements; EU Standard Contractual Clauses where data crosses borders; encryption at rest (AES-256) and in transit (TLS 1.2+).
Payment processing
- Vendor: Stripe (Stripe Payments Australia Pty Ltd / Stripe, Inc.). Stripe is named because it is the payment processor on every checkout and customers interact with it directly.
- Purpose: Subscription billing, payment processing, fraud detection.
- Processing location: Australia and United States.
- Safeguards: Data Processing Agreement; EU Standard Contractual Clauses; EU–U.S. Data Privacy Framework certified.
AI inference
- Vendors: Anthropic (PBC), OpenAI (L.L.C.), and other large-language-model providers as we add them. These are named because customers want assurance about whose models process their content.
- Purpose: Generate articles, audits, recommendations, and other AI Output at your request.
- Processing location: United States.
- Safeguards: Data Processing Agreements; zero-retention or commercial-tier terms that contractually prohibit the provider from using your data to train its models. See Privacy Policy §5.
Data and research providers
- Purpose: Provide keyword volume, SERP rankings, AI-engine query data, and other research signals that power Fokal's audits and recommendations.
- Processing location: United States.
- Safeguards: Data Processing Agreements; queries sent to these providers contain your brand name and category but do not contain personal information about you.
Transactional email
- Purpose: Send account, billing, security, and similar transactional notifications to your account email address.
- Processing location: United States.
- Safeguards: Data Processing Agreement; EU Standard Contractual Clauses; EU–U.S. Data Privacy Framework certified.
Observability and product analytics
- Purpose: Diagnose errors, measure feature usage, and improve the Service.
- Processing location: Configurable per provider (EU or US).
- Safeguards: Data Processing Agreements; EU Standard Contractual Clauses where applicable.
Customer-authorised third-party services
The following are services you authorise via OAuth. They are not Fokal subprocessors — they are services you connect to, and Fokal acts on your behalf within the scope you grant. We list them for transparency:
- Google Search Console (read-only)
- Google Analytics 4 (read-only)
- Wix
- Webflow
- Shopify
See our Google API Disclosure for Google-specific detail.
How we evaluate subprocessors
Before onboarding a new subprocessor, we evaluate:
- Its published Data Processing Agreement and equivalent contractual terms
- Its stated security posture (encryption, access controls, certifications such as SOC 2 or ISO 27001 where available)
- Its location of processing and the safeguards for international transfers
- For AI providers, its training stance — we only onboard providers that offer zero-retention or no-training terms
We document our evaluation and revisit subprocessors periodically.
How to request the specific vendor list
For customers conducting a security review or who require a specific vendor-level list (for example, to complete their own GDPR Article 28 obligations to their end users), email hello@fokal.com from your account email. We will share the specific subprocessor list under a non-disclosure agreement.
How to object to a subprocessor change
When we notify you of a new or replaced material subprocessor, you have 30 days to object. To object, email hello@fokal.com explaining your concern. If we cannot accommodate your objection (for example, by routing your data through an alternative subprocessor), you may terminate your Fokal subscription before the change takes effect and we will refund any pre-paid, unused fees for the affected period.
Contact
- Email: hello@fokal.com