Berserk

Sub-processors

This page lists every third party that processes customer personal data on behalf of Berserk ApS under a Data Processing Agreement.

Customer-telemetry sub-processors

None. Berserk ships self-hosted software. Customer telemetry stays inside infrastructure that the customer operates — object store, identity provider, and compute are all chosen and run by the customer. Berserk ApS does not receive, route, or store customer telemetry in normal operation.

Sub-processors during voluntary support engagements

If a customer engages us for hands-on support and voluntarily shares data with us under our Data Processing Agreement, that data is processed only on:

  • the laptop of the assigned engineer (full-disk encrypted, password-locked, controlled per our internal access-control and cryptography policies); and
  • the engineer's Berserk ApS Proton mailbox, only if the customer chooses email as the channel.

If a specific engagement requires routing customer data through any other service (for example, a file-share the customer prefers), the customer nominates that service in writing as part of the engagement scope. We do not introduce new sub-processors silently.

Sub-processorServiceWhen it appliesLocation
Proton AGEmail + drive (if used)Email-channel support engagements onlySwitzerland (adequacy decision)

What is not on this list

The third-party services we use to run Berserk ApS as a company — hosting for our own internal cluster, source-code hosting, internal chat, identity provider, engineering tooling — are not sub-processors under GDPR Art. 28, because they do not process customer personal data on the customer's behalf. They are tracked in the internal supplier register; controls and review cadence live in our internal supply-chain security policy (available under NDA on request to security@bzrk.dev). The technical posture is summarised publicly in the Security Whitepaper §"Supply-chain controls".

Where one of those services touches information about a customer (e.g. a customer emails us, or we file a vendor support ticket that mentions a customer name), Berserk ApS is acting as a controller of that limited contact data, not as the customer's processor.

When this list will change

Berserk ApS plans a hosted / managed offering. When that ships, the services we operate on the customer's behalf — compute, object store, identity provider, observability backend, etc. — will become customer-data sub-processors and will be added to this list before launch, with the 30-day notice required by the DPA.

Until that point, the only sub-processor on this page is Proton, and only during voluntary support engagements.

Notification of changes

We update this list whenever a customer-data sub-processor is added or removed. Customers under DPA are notified per the DPA template's sub-processor clause:

  • We give at least 30 days' notice of a new or replaced sub-processor.
  • Customers may object on reasonable security or compliance grounds during the notice period.

Contact

Questions about sub-processors: security@bzrk.dev.

Last updated

2026-05-01.