The point is about their privacy policy lacking any mention of all these “sub processors”.
Then, what’s the point of NextDNS “storing” logs in Switzerland, if they’re going to be streamed through GCP servers worldwide (because if GCP is streaming logs stored in Switzerland through Indian servers, then Indian laws apply and GCP will comply with those laws)? PrivacyGuides makes it seem as if “storing” logs in the EU etc is a positive thing: You can choose retention time and log storage location for any logs you choose to keep, or disable logs altogether.
I worked at BigCloud for more than 8 years: BigCloud don’t own ALL the infrastructure. They themselves use services of other providers who may or may not be in bed with respective governments where they operate. Besides it was routine for teams to comply with legal requests by granting access to actual customer data / metadata to the law enforcement. Some even had an automated workflow to grab all such data and bundle it up for legal. GCP I don’t think is any exception (see section 7.1.2: Cloud Data Processing Addendum | Google Cloud).
A concise privacy policy doesn’t mean it is complete. For reference, here’s Vercel privacy policy that clearly spells out what information is and isn’t available to various tools and services they use: Privacy Policy – Vercel
To be honest, I don’t really have a strong opinion one way or the other, but if PrivacyGuides is serious about avoiding the next Skiff, then transparency from companies must be top priority (and err on the side of caution in absence of clarity).
Can’t disclose. Under NDA.
I implore you to not assume. Ask them, and see what you get.