🌍 EU-First Data Processing - Primary infrastructure in European Union, with SCCs for limited US-based email delivery (Resend)

Sub-processors and Third-Party Services

Last updated: January 17, 2026

What Are Sub-processors?

Sub-processors are third-party service providers that we engage to process personal data on our behalf as part of providing the Advine.ai service. Under GDPR Article 28, we are required to maintain a public list of all sub-processors and provide notice of any changes.

Our Commitment to EU Data Residency

All sub-processors listed below are contractually required to process data ONLY within the European Union. Your data never leaves EU/EEA jurisdiction.

Current Sub-processors

Sub-processorServiceData ProcessedLocationData CenterSafeguardsDPA
Supabase Inc.Database hosting, authentication, backup & recovery
  • User accounts & profiles
  • OAuth tokens (encrypted)
  • Campaign metrics
  • Organization data
  • Audit logs
🇮🇪 Ireland
EU ONLY
AWS eu-west-1
Dublin
  • SOC 2 Type II
  • GDPR DPA signed
  • ISO 27001
  • EU data residency
View DPA
Vercel Inc.Application hosting, edge functions, CDN
  • HTTP request logs
  • Session data
  • IP addresses (anonymized)
  • Performance metrics
🇩🇪 Germany
EU ONLY
fra1
Frankfurt
  • SOC 2 Type II
  • GDPR DPA signed
  • EU region enforced
  • ISO 27001
View DPA
Sentry
(Functional Software Inc.)
Error tracking, performance monitoring
  • Error logs
  • Stack traces
  • Performance data
  • User IDs (hashed)
Note: PII is automatically scrubbed before sending
🇩🇪 Germany
EU ONLY
ingest.de.sentry.io
Frankfurt
  • GDPR DPA signed
  • PII scrubbing enabled
  • EU data residency
  • SOC 2 Type II
View DPA
PostHog Inc.Product analytics, feature flags, session recording
  • Usage analytics
  • Session data
  • Feature usage metrics
  • User IDs (anonymized)
🇪🇺 European Union
EU ONLY
eu.i.posthog.com
EU Cloud
  • GDPR compliant
  • No third-party sharing
  • EU data residency
  • Privacy-first analytics
View DPA
Stripe Inc.
(Stripe Payments Europe Ltd.)
Payment processing, billing, invoicing
  • Billing details
  • Payment data (tokenized)
  • Invoice information
  • Transaction history
Note: We do NOT store credit card numbers
🇪🇺 European Union
Irish Entity
EU Operations
Multiple EU DCs
  • PCI-DSS Level 1
  • GDPR DPA signed
  • EU entity processing
  • ISO 27001
View DPA
Upstash Inc.Redis caching, rate limiting, job queues
  • Cache data
  • Rate limit counters
  • Session tokens
  • Job queue metadata
🇪🇺 European Union
EU ONLY
eu-west-1
Ireland
  • SOC 2 Type II
  • GDPR DPA signed
  • EU data residency
View DPA
Railway CorporationBackground worker hosting, job processing
  • Job queue data
  • Sync task metadata
  • Worker logs
🇪🇺 European Union
EU ONLY
eu-west
EU Region
  • SOC 2 Type II
  • GDPR DPA signed
  • EU data residency
View DPA
Resend Inc.
(Plus Five Five, Inc.)
Transactional email delivery
  • Email addresses
  • Alert content
  • User names
🇺🇸 United States
SCCs in place
AWS US
US Operations
  • SOC 2 Type II
  • GDPR DPA signed
  • SCCs for transfers
View DPA

Change Notification

We will provide 30 days' advance notice before adding, removing, or replacing any sub-processor. Notification will be sent via:

  • Email to the primary account holder
  • In-app notification for active users
  • Updated date on this page

Objection Rights

If you object to a new sub-processor within the 30-day notice period, you may terminate your subscription. See our Terms of Service for details.

Data Processing Agreements

We have entered into GDPR-compliant Data Processing Agreements (DPAs) with all sub-processors listed above. These agreements ensure:

  • Sub-processors process data only on our documented instructions
  • Appropriate technical and organizational security measures are in place
  • Sub-processors assist with data subject rights requests
  • Data is processed only within the EU/EEA
  • Sub-processors notify us of any data breaches within 24 hours

Why 100% EU?

By keeping all data processing within the European Union, we:

  • ✅ Avoid complex international data transfer mechanisms (SCCs, BCRs)
  • ✅ Eliminate risks associated with Schrems II concerns
  • ✅ Ensure full GDPR protection throughout the entire data lifecycle
  • ✅ Protect your data from foreign surveillance laws (e.g., U.S. FISA, CLOUD Act)
  • ✅ Simplify compliance for you and your clients

Your Rights

Under GDPR, you have the right to:

  • Know which sub-processors process your data (this page)
  • Object to specific sub-processors (with right to terminate service)
  • Request copies of DPAs (contact our DPO)
  • Request audits of sub-processor compliance (annual SOC 2 reports available)

Future Sub-processors

We continuously evaluate new services to improve Advine.ai. Any new sub-processors will:

  • Process data ONLY within the EU/EEA
  • Have GDPR-compliant DPAs in place
  • Meet our security standards (SOC 2, ISO 27001, or equivalent)
  • Be listed on this page with 30 days' advance notice

Questions?

For questions about sub-processors or data processing:

📋 Related Documents

Last Updated: January 17, 2026
Document Version: 1.1
Total Sub-processors: 8
EU-based: 7 of 8 (SCCs in place for US email service)