Provider transparency
Sub-processors
Fred uses a focused set of infrastructure, database, security, analytics, payment, support, and integration providers to operate the service. Core application servers and customer data are hosted in Europe, with AWS and the database layer in Frankfurt.
- Last updated
- Core hosting
- Europe, with AWS and database layer in Frankfurt
- Change notice
- Material updates are reflected on this page
Current list
Providers are listed by the job they perform.
The exact data processed depends on product configuration, customer choices, consent settings, and the feature being used. Core Fred application infrastructure and customer data remain European-hosted. Customer agreements may include additional contractual terms.
| Provider | Category | Purpose | Data involved | Location |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Hosting and backend infrastructure | Cloud infrastructure for operating Fred platform services, storing application data, and supporting service reliability. | Customer workspace data, research files, account data, logs, and other platform data as needed to provide the service. | Frankfurt, Germany (AWS eu-central-1)European contracting entity and provider DPA |
| Supabase | Database infrastructure | European-hosted Postgres database infrastructure for Fred application records and related platform data. | Workspace records, application metadata, research data references, account data, and related service data. | Frankfurt, GermanyEuropean data residency and provider DPA |
| Cloudflare, Inc. | Traffic optimization, security, and public web analytics | Edge protection, traffic filtering, routing, performance, availability support, and public web analytics for Fred web properties. | IP addresses, request metadata, trackers, technical diagnostics, traffic data, and web analytics events where configured. | European configuration for Fred traffic where available; not a system of record for customer research dataProvider DPA and transfer safeguards where applicable |
| Stripe Payments Europe, Limited | Payments | Payment processing, billing support, subscription administration, and purchase records. | Billing address, email address, name, payment information, purchase history, trackers, and usage data. | European UnionEuropean contracting entity and provider terms |
| Google Ireland Limited | Authentication, scheduling, analytics, tags, and spam protection | Google OAuth, Google Calendar integration, Google reCAPTCHA, Google Analytics, Google Tag Manager, Google Ads conversion tracking, and related Google website infrastructure where enabled. | OAuth data, calendar metadata, event details, attendee email addresses, trackers, usage data, session statistics, interaction signals, and technical request data. | Ireland / European UnionGoogle Ireland Limited provider terms and DPA |
| HubSpot, Inc. | Meetings, forms, analytics, and marketing website tooling | Public website scheduling links, marketing analytics, forms, banner-related tooling, and related website operations where enabled through GTM or connected public-site tooling. | IP address, trackers, page views, campaign data, meeting scheduling context, form submissions, and related public-site interaction data. | United States / European Union, depending on the enabled HubSpot service pathProvider terms, DPA, and transfer safeguards where applicable |
| Microsoft Ireland Operations Limited | Authentication and file integration | OneDrive OAuth and related Microsoft account authorization flows where customers enable them. | Authentication data and other authorized integration data as described by Microsoft and the enabled integration. | European Union, where configured for Fred customer workflowsEuropean contracting entity and provider DPA |
| PostHog, Inc. | Product and website analytics | Product usage analytics, website analytics, feature engagement, conversion measurement, heatmaps, and session recording where enabled and consent requirements apply. | IP address, trackers, usage data, interaction events, clicks, scroll position, and session statistics. | European Union, using Fred's EU analytics configurationProvider DPA and transfer safeguards where applicable |
| Objectis Ltd. (CookieScript) | Consent management platform | Cookie consent banner, consent-state storage, category handling, and related consent-management operations for the public website. | Consent preferences, banner interaction data, IP address, browser metadata, and related website context required to manage consent. | Lithuania / European UnionProvider terms and DPA where applicable |
| Meta Platforms, Inc. | Advertising and conversion measurement | Advertising measurement, attribution, retargeting, or conversion support where Meta tooling is enabled on the public website. | Trackers, IP address, page views, referrer data, and event or conversion metadata where configured. | United States / European Union, depending on the configured Meta processing pathProvider terms and transfer safeguards where applicable |
| Functional Software, Inc. (Sentry) | Infrastructure monitoring | Error monitoring, performance diagnostics, troubleshooting, and operational reliability. | Technical diagnostics, identifiers, logs, and other data that may appear in error or performance events. | European Union, where configuredProvider DPA and transfer safeguards where applicable |
| Freshworks, Inc. (Freshdesk) | Support and contact management | Managing support requests, customer communications, procurement questions, and contact workflows. | Contact details, support messages, attachments, technical context, and data communicated while using support channels. | European Union, where configuredProvider DPA and transfer safeguards where applicable |
How to read this page
Transparency should make procurement easier.
Change notice
This page is the public place to review Fred's disclosed sub-processor list. Material changes will be reflected here, and enterprise agreements may specify additional notice or objection rights.
Public website evidence
The public-site tracking and consent disclosures on this page should be read together with the Cookie Policy because production cookie evidence confirms website analytics, advertising measurement, consent tooling, and website support providers on the public perimeter.
Customer control
Fred handles in-product acceptance flows where applicable. Customers remain responsible for selecting integrations, configuring studies, deciding what material is uploaded or requested, and ensuring that material is lawful and appropriate for the research purpose.
Data minimization
Fred's public policy position is to process only the data needed to provide, protect, support, and improve customer-requested research workflows, with core application data hosted in Europe.
Not sub-processors
Some parties touch research work without being Fred providers.
Customer-selected research participants
Participants invited by a customer are data subjects or research contributors, not Fred sub-processors.
Customer-owned tools and exports
If a customer exports data from Fred or uploads it to another tool, that destination is controlled by the customer unless Fred has separately contracted it.
Internal human reviewers
Authorized Fred personnel and contractors are governed through confidentiality and access controls rather than listed as external sub-processors.
Procurement questions
Contract-specific review
Enterprise buyers can review sub-processor details, security posture, DPA requirements, and rollout governance with the Fred team before adoption.