Apple and Google
For app store publishing, Capgo acts as an API pass-through to the customer's own developer accounts. Apple and Google are independent controllers with a direct contractual relationship with the customer.
Legal
Subprocessors
DPA-scoped sub-processors used to operate Capgo cloud services, with processing purpose, location, and transfer mechanism.
- Last update
- June 4, 2026
- Effective Date
- July 4, 2026
- Notice Period
- 30 days
1. Introduction
This list contains the sub-processors engaged by Capgo, operated by Digital Shift OÜ, for the provision of Capgo cloud services. It forms part of the Data Processing Agreement.
The listed sub-processors process customer data on behalf of Capgo, including account data, application metadata, bundle metadata, device identifiers, source files submitted for native builds, build artifacts, workflow data, and delivery data transmitted through the cloud services.
2. Not Covered By This List
These services are not treated as Capgo sub-processors for the DPA list unless Capgo explicitly acts as processor.
Controller-side recipients
Services used by Capgo for its own business purposes, such as payments, email, product analytics, support, error monitoring, or internal code quality. Current examples include Stripe, Bento, PostHog, CodeRabbit, SonarCloud.
Customer-selected integrations
Third-party services connected by the customer, such as external source control, CI/CD, or webhook destinations, are governed by the customer's relationship with those providers unless Capgo explicitly acts as processor for that integration.
3. Change Notification
Capgo will notify customers at least 30 days before the intended engagement of a new sub-processor or a material change to an existing sub-processor, unless an urgent security, availability, or legal requirement requires faster action.
Customers may object to a new or changed sub-processor on reasonable data-protection grounds under the Data Processing Agreement.
4. Current Sub-processors
Customer data processed by Capgo as processor may pass through the following vendors.
| Name | Purpose / categories of data processed | Processing location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Primary database, authentication, account data, application metadata, bundle metadata, and device identifiers. | London, United Kingdom | UK adequacy for UK hosting; EU Standard Contractual Clauses (SCCs) where applicable |
| Cloudflare, Inc. | Edge CDN, Workers runtime, Durable Objects, R2 storage, security services, and delivery of live updates. On customer opt-in, AI-assisted build-log diagnostics via Cloudflare Workers AI; logs are processed for the request and are not retained for training. | Global, including USA | EU-US Data Privacy Framework (DPF-certified); EU Standard Contractual Clauses (SCCs) as fallback |
| Google Cloud | Database read replicas and regional infrastructure for service availability and latency. | Hong Kong, Tokyo, Sydney, Johannesburg, Milan, Jeddah, Mumbai, Sao Paulo, and Columbus | EU Standard Contractual Clauses (SCCs); adequacy decisions where applicable; EU-US DPF/SCCs for US processing |
| GitHub, Inc. | Source code hosting and repository access when a customer connects GitHub to Capgo build or automation workflows. | USA | EU-US Data Privacy Framework (DPF-certified); EU Standard Contractual Clauses (SCCs) as fallback |
| Scaleway SAS | Build infrastructure, including macOS build runners, build artifacts, source files needed for native builds, and workflow data. | Paris, France, EU | Adequacy (EU) |
5. Change History
| Date | Change |
|---|---|
| 2026-06-04 | Rewrite: sub-processor list scoped to customer data processed by Capgo as processor; controller-side recipients and internal engineering services separated from the DPA sub-processor list. |
| 2026-06-04 | Cloudflare scope clarified: opt-in AI-assisted build-log diagnostics via Cloudflare Workers AI. |
| 2026-05-29 | Previous update: Supabase location clarified, Google Cloud regions listed, PostHog and Scaleway added, PlanetScale, Sentry, and Depot removed. |