isitready.dev
Start free scan

Legal

Subprocessors

The third-party providers KORDU LTD uses to run isitready.dev, what each one processes, and where.

Last updated: April 30, 2026

Operator: KORDU LTD, England and Wales company no. 16836154. Registered office: First Floor Office, 3 Hornton Place, London, United Kingdom, W8 4LZ. Legal contact: legal@kordu.gg.

How to be notified of changes

Subscribe to the subprocessor change list by emailing legal@kordu.gg with the subject “Subprocessor updates”. We will email you when we add or replace a subprocessor that processes personal data on our behalf.

Infrastructure (always required)

  • Cloudflare, Inc. — Workers, Workers Analytics Engine, D1 (single-region SQLite), KV, R2, Queues, Durable Objects, Email Service Send Email, Turnstile, Observability. Personal data processed: submitted URLs, scan results, public reports, account data, session data, hashed product analytics scope identifiers, hashed IP addresses for rate-limit fallback, encrypted OAuth tokens, API key hashes, billing-state mirror. Region: global edge for Workers; D1 in a single configured region. Safeguard: UK Addendum to the EU SCCs.
  • Polar Software, Inc. — payments, subscriptions, customer portal, invoices, usage metering, webhooks. Acts as an independent controller / merchant of record for payment, fraud, sanctions, and tax determination, and as a subprocessor for the customer-state mirror in our database. Card data is processed by Polar’s card processor and does not reach our infrastructure. Region: United States. Safeguard: UK Addendum to the EU SCCs (being put in place).
  • Cloudflare Email Service Send Email — outgoing transactional email from noreply@isitready.dev. Region: Cloudflare global. Safeguard: same as Cloudflare row.
  • PostHog, Inc. — product analytics for pageviews and signed-in product usage when enabled. Personal data processed: event metadata, page path without query strings, device/browser metadata, and account identifiers after sign-in identification. Region: EU Cloud. Safeguard: UK Addendum to the EU SCCs.
  • Functional Software, Inc. (Sentry) — server-side error monitoring when Sentry is configured. Personal data processed: exception details and minimized request context after application-side redaction of cookies, headers, request bodies, query strings, and user data. Region: United States / global service infrastructure. Safeguard: UK Addendum to the EU SCCs.

Authentication providers (only if you use them)

  • Google LLC — OAuth sign-in, Search Console scopes (webmasters.readonly) where you connect Search Console. Region: United States. Safeguard: UK Addendum to the EU SCCs.
  • GitHub, Inc. — OAuth sign-in. Region: United States. Safeguard: UK Addendum to the EU SCCs.
  • Discord, Inc. — OAuth sign-in. Region: United States; some sub-processing may occur in the EU. Safeguard: UK Addendum to the EU SCCs.

Public scan-data providers (used during scans)

  • Google PageSpeed Insights and Chrome UX Report — lab and field performance metrics. Data sent: public hostname/URL of the target. Region: United States.
  • Cloudflare DNS-over-HTTPS — public DNS lookups for resolution and DNSSEC checks. Data sent: hostname being resolved. Region: Cloudflare global.

Future / conditional subprocessors

If we introduce features that depend on the following kinds of provider, we will add them to the lists above before they go live: AI providers (for AI summaries, action plans, or natural-language explanations); email-deliverability providers; customer-support providers.

What we do not use today

We do not currently use a third-party advertising platform, a third-party customer-support provider, or a third-party AI provider. If any of this changes, we will update this page.

Sub-subprocessors

Each subprocessor above may use further service providers. Their respective lists are linked from their privacy notices. We are responsible to you for the work our subprocessors do; the chain is governed by their contracts and ours.