Service providers
The tools we use.
Last updated 2026-05-16
Like any modern app, SahlForm runs on a small handful of trusted services — for hosting, sending email, blocking spam, that sort of thing. Here's the full list, what each one does, and which region your data sits in. If we ever add a new provider, we'll give 30 days' notice before they go live.
AWS Singapore (ap-southeast-1)
What it does
Postgres database hosting + authentication (Better Auth)
What it sees
All tenant + submission data, user accounts, session tokens
Cross-border safeguards
SCCs (EU → SG); Neon DPA on file
Global (auto edge), primary US
What it does
Web application hosting + edge runtime
What it sees
Request logs, IP addresses (ephemeral), no application data
Cross-border safeguards
SCCs; Vercel DPA on file
US (primary)
What it does
Transactional email (verification, password reset, notifications)
What it sees
Recipient email, email subject + body content
Cross-border safeguards
SCCs; Resend DPA on file
Global (Cloudflare network)
What it does
Bot detection / abuse prevention on public form submissions
What it sees
IP address, browser fingerprint (ephemeral, not stored by us)
Cross-border safeguards
SCCs; Cloudflare DPA on file
What it does
AI form generation and iterative refinement (optional, tenant-triggered)
What it sees
Form prompts and existing form schema (no respondent data)
Cross-border safeguards
SCCs; provider-level DPA; tenant controls enable / disable
EU (primary) / US (failover)
What it does
Browser error tracking (optional, requires user consent via cookie banner)
What it sees
Browser error stack traces, user agent (anonymised), affected URL
Cross-border safeguards
EU adequacy / SCCs; only loaded after consent
Questions? privacy@sahlform.com