Data Processing Agreement
between
CoachBot Studio client (coach, expert, or organization)
as Controller (hereinafter “Controller”),
And
Coachbot AI GmbH
Mühlenstr. 8a
14167 Berlin
Germany
as Data Processor (hereinafter “Data Processor”,
Controller and Data Processor jointly the “Parties”)
Preamble
The Controller has commissioned the Data Processor in a contract already concluded (hereinafter referred to as the "Main Contract") for the services specified therein. Part of the execution of the contract is the processing of personal data. In particular, Art. 28 GDPR imposes specific requirements on such commissioned processing. To comply with these requirements, the Parties enter into the following Data Processing Agreement (hereinafter referred to as the “Agreement”), the performance of which shall not be remunerated separately unless expressly agreed.
§ 1 Definitions
(1) Pursuant to Art. 4 (7) GDPR, the Controller is the entity that alone or jointly with other Controllers determines the purposes and means of the processing of personal data.
(2) Pursuant to Art. 4 (8) GDPR, a Data Processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the Controller.
(3) Pursuant to Art. 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of Data Subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data on the sex life or sexual orientation of a natural person.
(5) According to Article 4 (2) GDPR, the processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(6) Pursuant to Article 4 (21) GDPR, the supervisory authority is an independent state body established by a Member State pursuant to Article 51 GDPR.
§ 2 Subject of the contract
(1) The Data Processor provides the services specified in the Main Contract for the Controller. In doing so, the Data Processor obtains access to personal data, which the Data Processor processes for the Controller exclusively on behalf of and in accordance with the Controller's instructions. The nature and purpose of the data processing by the Data Processor are set out in Appendix 1. The Controller shall be responsible for assessing the admissibility of the data processing.
(2) The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Contract.
(3) The provisions of this contract shall apply to all activities related to the Main Contract in which the Data Processor and its employees or persons authorized by the Data Processor come into contact with personal data originating from the Controller or collected for the Controller.
(4) The term of this Agreement and the related processing shall be governed by the term of the Main Contract, unless the following provisions give rise to further obligations or termination rights.
§ 3 Right of instruction
(1) The Data Processor may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the Controller, unless the Data Processor is required to carry out further processing by the law of the European Union or one of its Member States to which the Data Processor is subject. In such case, it shall notify the Controller of these legal requirements prior to the processing, unless that law prohibits such information on important grounds of public interest.
(2) The instructions of the Controller shall initially be determined by this Agreement and the Main Contract. Thereafter, they may be amended, supplemented, or replaced by the Controller in writing or text form by individual instructions (Individual Instructions). The Controller shall be entitled to issue such instructions at any time. This includes instructions with regard to the correction, deletion, and blocking of data.
(3) All instructions issued shall be documented by the Controller. Instructions that go beyond the service agreed in the Main Contract shall be treated as a request for a change in service.
(4) If the Data Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Data Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Data Processor may refuse to carry out an obviously unlawful instruction.
§ 4 Types of data processed, group of Data Subjects, third country
(1) Within the scope of the implementation of the Main Contract, the Data Processor shall have access to the personal data specified in more detail in Appendix 1.
(2) The group of Data Subjects affected by the data processing is listed in Appendix 1.
(3) A transfer of personal data to a third country may take place under the conditions of Art. 44 et seq. GDPR. The Data Processor shall not transfer Personal Data outside the UK or EEA, nor permit access to Personal Data from outside the UK or EEA, unless:
The Data Processor has informed the Controller in advance of the countries involved, the relevant recipients or categories of recipients, and the transfer mechanism relied upon;
appropriate safeguards are in place, including standard contractual clauses, the UK International Data Transfer Agreement or other approved transfer mechanisms, as applicable; and
the Data Processor provides the Controller, on request, with reasonable information necessary to assess the transfer, including any transfer risk assessment or equivalent assessment carried out.
§ 5 Protective measures of the Data Processor
(1) The Data Processor shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Controller's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
(2) The Data Processor shall organize the internal organization within its field of responsibility in such a way that it meets the special requirements of data protection. It shall take the technical and organizational measures specified in Appendix 2 to adequately protect the Controller's data pursuant to Art. 32 GDPR, which the Controller acknowledges as adequate. The Data Processor reserves the right to change the security measures taken while ensuring that the contractually agreed level of protection is not undercut.
(3) The persons employed in the data processing by the Data Processor are prohibited from collecting, processing or using personal data without authorization. The Data Processor shall oblige all persons entrusted by it with the processing and performance of this contract (hereinafter "Employees") accordingly (obligation of confidentiality, Art. 28 (3) lit. b GDPR) and shall ensure compliance with this obligation with due care.
(4) The Data Processor has appointed a data protection officer. The Data Processor’s data protection officer is heyData GmbH, Schützenstr. 5, 10117 Berlin, datenschutz@heydata.eu, www.heydata.eu.
§ 6 Information obligations of the Data Processor
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Data Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Data Processor, by persons employed by it within the scope of the Agreement or by third parties, the Data Processor shall inform the Controller without undue delay and, in any event, within 24 hours of becoming aware of the incident. The same shall apply to audits of the Data Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;
(b) a description of the measures taken or proposed by the Data Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;
(c) a description of the likely consequences of the personal data breach.
(2) The Data Processor shall promptly take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, inform the Controller thereof and request further instructions. The Data Processor shall provide all reasonable cooperation and assistance required by the Controller in connection with any investigation, notification, remediation or regulatory engagement arising from such incident.
(3) In addition, the Data Processor shall be obliged to provide the Controller with information at any time insofar as the Controller's data are affected by a breach pursuant to paragraph 1.
(4) The Data Processor shall inform the Controller of any significant changes to the security measures pursuant to Section 5 (2). No such change shall materially reduce the level of protection afforded to the Personal Data.
§ 7 Control rights of the Controller
(1) The Controller may satisfy itself of the technical and organizational measures of the Data Processor prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, the Controller may, for example, obtain information from the Data Processor, obtain existing certificates from experts, certifications or internal audits or, after timely coordination, personally inspect the technical and organizational measures of the Data Processor during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with the Data Processor. The Controller shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of the Data Processor in the process.
(2) The Data Processor undertakes to provide the Controller, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the technical and organizational measures of the Data Processor, including copies of relevant certifications, summaries of audits, and reasonable supporting documentation relating to sub-processors where Personal Data is processed by them.
(3) The Controller shall document the results of the inspection and notify the Data Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of the results of the inspection, the Controller shall inform the Data Processor without undue delay. If facts are found during the control, the future avoidance of which requires changes to the ordered procedure, the Controller shall notify the Data Processor of the necessary procedural changes without delay.
§ 8 Use of service providers
(1) The contractually agreed services shall be performed with the involvement of the service providers named in Appendix 3 (hereinafter “Sub-processors”). The Controller grants the Data Processor its general authorization within the meaning of Article 28 (2) s. 1 GDPR to engage additional Sub-processors within the scope of its contractual obligations or to replace Sub-processors already engaged.
(2) The Data Processor shall notify the Controller in writing of any intended addition or replacement of a Sub-processor, including details of the processing to be carried out, at least 14 days in advance. Such notice shall be given to the Controller’s last notified contact email address (or such other contact as notified by the Controller from time to time).
(3) The objection to the intended involvement or replacement of a Sub-processor must be raised within 30 days of receipt of the notice on reasonable data protection grounds. The Data Processor shall not appoint the proposed Sub-processor until the objection period has expired. If the Controller objects, the Parties shall discuss the objection in good faith. If no commercially reasonable solution can be agreed, the Controller may terminate the affected Services without penalty on written notice.
(4) When engaging Sub-processors, the Data Processor shall oblige them in accordance with the provisions of this Agreement. The Data Processor shall ensure that any contract with a Sub-processor imposes data protection obligations equivalent to those set out in this Agreement, and the Data Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.
(5) A Sub-processor relationship within the meaning of these provisions does not exist if the Data Processor commissions third parties with services that are regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Data Processor to the Controller and guarding services. Maintenance and testing services constitute Sub-processor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the Controller.
§ 9 Requests and rights of Data Subjects
(1) The Data Processor shall support the Controller with suitable technical and organizational measures in fulfilling the Controller's obligations pursuant to Articles 12-22 and 32 to 36 GDPR.
(2) If a Data Subject asserts rights, such as the right of access, correction or deletion with regard to his or her data, directly against the Data Processor, the latter shall not react independently but shall refer the Data Subject to the Controller and await the Controller's instructions.
§ 10 Liability
Liability between the Parties is governed by the liability provisions set out in the Main Contract and by applicable law.
§ 11 Termination of the Main Contract
(1) After termination of the Main Contract, the Data Processor shall return to the Controller all documents, data and data carriers provided to it or - at the request of the Controller, unless there is an obligation to store the personal data under European Union law or the law of the Federal Republic of Germany - delete them. This shall also apply to any data backups at the Data Processor. The Data Processor shall on request provide documented proof of the proper deletion of any data. Such return or deletion shall be completed without undue delay and, in any event, within 30 days of the Controller’s request unless a longer period is required by law. Data contained in rolling backups may be deleted on the standard deletion date of the respective backup. If a backup is restored, the data it contains shall be deleted without undue delay and no later than three days after restoration.
(2) The Controller shall be entitled to verify that the Processor has returned or deleted all data in full and in accordance with this Agreement.
(3) The Data Processor shall be obligated to keep confidential the data of which it has become aware in connection with the Main Contract even beyond the end of the Main Contract. The present Agreement shall remain valid beyond the end of the Main Contract as long as the Data Processor has personal data at its disposal which have been forwarded to it by the Controller or which it has collected for the Controller.
§ 12 Final provisions
(1) To the extent that the Data Processor does not expressly perform support actions under this Agreement free of charge, it may charge the Controller a reasonable fee therefore, unless the Data Processor's own actions or omissions have made such support directly necessary.
(2) Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.
(3) If individual provisions of this Agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
(4) This agreement is subject to German law.
(5) The Data Processor shall not use Customer Data or Personal Data processed under this Agreement to train, fine-tune, benchmark, evaluate or otherwise improve any foundation model, general-purpose AI model or machine learning model for its own benefit or that of any third party, unless the Controller has expressly provided prior written consent.
§ 13 AI Act Assistance
Where reasonably required for the Controller's compliance with applicable obligations under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), the Data Processor shall provide the Controller with reasonable information regarding the operation of the Services, technical documentation available to the Data Processor, and the safeguards and risk-management measures implemented in connection with the processing activities performed under this Agreement.
Appendix 1 –
Description of the Processing
Description of the nature of the data processing
The Data Processor processes personal data in the course of operating and making available the services under the Main Contract. The processing encompasses the following operations:
Collection and storage of account and authentication data upon registration;
session management, including the initiation, maintenance, and termination of individual coaching interactions;
prompt orchestration and conversational guidance logic applied to User inputs;
operation of a two-tier memory system comprising episodic memory, meaning stored conversation histories, and artefact memory, meaning user-defined goals, fields, and configurations derived from User inputs;
generation and storage of progress tracking and goal achievement data;
aggregation and display of usage statistics in Controller dashboards; and
management of data portability, export, and deletion processes in accordance with the Agreement.
All data processed through the platform flows through Data Processor's infrastructure, including under the BYOK-Model.
Standard LLM Model. Where the Controller operates the platform under the Standard LLM Model, requests are routed through Data Processor's full infrastructure stack, including orchestration, session management, and LLM inference, via a large language model provider engaged by Data Processor as a sub-processor in its own name, as set out in the Sub-Processor List in Appendix 3.
BYOK-Model. Where the Controller operates the platform under the BYOK-Model, Data Processor's processing is limited to the infrastructure, orchestration, and session management layers. LLM inference is performed by a third-party provider designated by the Controller by means of an API key issued to the Controller by that provider, or by an AI model operated by the Controller itself. The Controller is the sole party responsible for the availability, performance, security, and data protection compliance of the LLM service or model it introduces.
Model Routing. Depending on the Controller's selected configuration, requested functionality and service availability, requests may be processed using one or more supported large language model providers listed in Appendix 3. The Data Processor remains responsible for the orchestration layer and for ensuring that any selected provider is engaged in accordance with this Agreement.
Anonymised Analytics. Data Processor processes aggregated feedback and usage data in anonymised form for platform improvement, product analytics, and benchmarking. This processing is carried out on the basis of an instruction given at the time of contracting. The Controller may revoke this instruction in text form at any time with effect for the future.
Support Data. Screenshots and other data submitted by the Controller in the context of support requests are processed exclusively for the purpose of handling the respective request and are not used for any other purpose.
Description of the data/data categories
Data Subjects
The personal data processed under this Agreement relates to the following categories of data subjects.
Customers, meaning natural persons who have entered into the Main Contract with Data Processor in their capacity as Creators or as authorised representatives of an Enterprise Customer, including coaches, trainers, mentors, and individuals acting on behalf of coaching organisations or enterprises.
Customer employees, meaning employees or authorised representatives of an Enterprise Customer who interact with the Data Processor in an administrative, billing, or account-management capacity (e.g. procurement or finance contacts) without themselves being Users of the coaching platform;
Users, meaning natural persons who access the platform on the invitation of a Customer.
Data Categories
The following categories of personal data are processed under this Agreement.
Personal identification data, comprising full name, email address, and telephone number. Where the Controller is an Enterprise Customer, this category also includes the User's employer affiliation and organisational role to the extent provided during onboarding.
Authentication and account data, comprising encrypted login credentials, authentication-provider identifiers in the form of hashed pseudonymised user IDs, Firebase identifiers, and invitation status together with the linkage of a User account to the relevant Controller account.
Controller configuration and programme data, comprising Controller-created CoachBot configurations and prompts, uploaded documents, structured knowledge bases, media files, custom instructions, workflow configurations, bot settings, evaluation criteria, User invitation lists, and aggregated usage reports generated in Controller dashboards. This category reflects data introduced by the Controller in the course of configuring and operating its programmes on the platform.
User activity data, comprising session logs including duration and features used, coaching conversation transcripts, episodic memory in the form of stored conversation histories, artefact memory in the form of user-defined goals, fields, and configurations derived from User inputs, and progress tracking and goal achievement data.
AI-generated content, comprising conversational responses, summaries, recommendations, coaching insights, generated reports, structured outputs and other content generated by the platform in response to Controller or User inputs.
Technical and operational data, comprising IP addresses and technical connection data generated upon platform access, infrastructure-level log files, and data submitted by the Controller in the context of support requests including any screenshots.
Special Categories of Personal Data
The Services are not designed for the intentional collection of special categories of personal data within the meaning of Article 9 GDPR. Nevertheless, Users may voluntarily disclose such information during coaching interactions, including through free-text inputs, uploaded content, or generated conversations.
To the extent that special categories of personal data are processed, such processing occurs solely on behalf of the Controller, in accordance with the Controller's documented instructions and this Agreement. The Controller remains responsible for ensuring that an appropriate legal basis pursuant to Articles 6 and 9 GDPR exists for such processing.
Description of the processing purposes
The Data Processor processes personal data on behalf of the Controller for the following purposes.
Platform provision and service delivery. The Data Processor processes personal data to make the agreed services available, including prompt orchestration, session management, operation of the memory system, and delivery of conversational guidance logic. This is the primary purpose underlying all processing under this Agreement.
Account management and access control. The Data Processor processes authentication and account data to create and maintain Controller accounts and User accounts, to manage access rights linked to the Controller's subscription, and to implement the invitation-based onboarding of Users. This includes the deactivation of User access upon termination of the Controller's subscription while preserving the User's individual account.
Programme configuration and operation. The Data Processor processes Controller configuration and programme data to enable the Controller to build, deploy, and operate AI-powered coaching programmes on the platform, including the storage of prompts, uploaded documents, knowledge bases, and bot-specific settings.
Progress tracking and dashboard reporting. The Data Processor processes User activity data to generate progress tracking, goal achievement data, and aggregated usage statistics, and to make these available to the Controller through the platform dashboard.
Data portability and offboarding. The Data Processor processes Controller data and User data to fulfil its data portability obligations, including the provision of structured, machine-readable exports upon the Controller's request and during the transition period following termination of the Agreement.
Support. The Data Processor processes data submitted by the Controller in the context of support requests, including any screenshots or session information, exclusively for the purpose of handling the respective request.
Compliance with legal obligations. The Data Processor processes personal data to the extent necessary to comply with applicable legal obligations, including obligations under data protection law.
Data Residency
Unless otherwise agreed in writing, Customer Data is primarily hosted and processed within the European Union. Any transfer outside the European Economic Area shall be carried out only in accordance with Chapter V GDPR and the safeguards described in this Agreement.
Appendix 2 –
Technical and organizational measures of the Data Processor
1 Subject of the document
This document summarizes the technical and organizational measures taken by the data processor within the meaning of Art. 32 para. 1 GDPR. These are measures with which the data processor protects personal data. The purpose of the document is to support the controller in fulfilling its accountability obligations under Art. 5 para. 2 GDPR.
2. Confidentiality (Art. 32 para. 1 lit. b GDPR)
2.1 Entry control
The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:
Work in the home office: instruction to (freelance) employees to work in workrooms separated from living rooms if possible
Manual locking system (e.g. key)
Instructions to (freelance) employees not to work in publicly accessible areas (e.g. cafés)
Work in the home office: unauthorized persons have no access to the homes of (freelance) employees
2.2 Admission control
The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:
Authentication with user and password
Creating user profiles
Use of 2-factor authentication
Automatic desktop lock
Use of anti-virus software
Encryption of data carriers
Management of user authorizations
General instruction to manually lock the desktop when leaving the workstation
2.3 Access control
The following implemented measures ensure that unauthorized persons do not have access to personal data:
The number of administrators is kept as small as possible
Management of user rights by system administrators
Instruction to (freelance) employees that only absolutely necessary data is to be printed out
Instruction to (freelance) employees that data should only be deleted after consultation
2.4 Separation control
The following measures ensure that personal data collected for different purposes is processed separately:
Separation of productive and test systems
Encryption of data records that are processed for the same purpose
For pseudonymized data: Separate storage of the allocation file on a separate, secure IT system (encrypted if possible)
Internal instruction to anonymize/pseudonymize personal data in the event of disclosure or after expiry of the statutory deletion period, if possible.
3. Integrity (Art. 32 para. 1 lit. b GDPR)
3.1 Transfer control
It is ensured that personal data cannot be read, copied, changed or removed without authorization during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures have been implemented to ensure this:
E-mail encryption
WLAN encryption (WPA2 with strong password)
Logging of accesses and retrievals
Provision of data via encrypted connections such as SFTP or HTTPS
3.2 Input control
The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:
Clear responsibilities for deletions
Instruction to employees to delete data only after consultation
4. Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client
Regular backups
Control of the backup process
Separation of operating systems and data
Hosting (at least of the most important data) with a professional hoster
Fire and smoke detection systems
5. Procedures for Regular Review, Assessment and Evaluation (Art. 32 para 1 lit. d GDPR; Art. 25 para. 1 GDPR)
5.1 Data protection management
The following measures are intended to ensure that an organization is in place that meets the basic requirements of data protection law:
Use of the heyData platform for data protection management
Appointment of the heyData data protection officer
Obligation of employees to maintain data secrecy
Regular training of employees in data protection
Maintaining an overview of processing activities (Art. 30 GDPR)
5.2 Incident response management
The following measures are intended to ensure that reporting processes are triggered in the event of data protection breaches
Reporting process for data protection violations pursuant to Art. 4 (12) GDPR to the supervisory authorities (Art. 33 GDPR)
Reporting process for data protection breaches in accordance with Art. 4 (12) GDPR to the data subjects (Art. 34 GDPR)
Involvement of the data protection officer in security incidents and data breaches
5.3 Data protection-friendly default settings (Art. 25 para. 2 GDPR)
The following implemented measures take into account the requirements of the "privacy by design" and "privacy by default" principles
Training of employees in "privacy by design" and "privacy by default"
No more personal data is collected than is necessary for the respective purpose.
5.4 Order control
The following measures ensure that personal data can only be processed in accordance with the instructions:
Written instructions to the contractor or instructions in text form (e.g. through a data processing agreement)
Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations
Confirmation from contractors that they commit their own employees to data secrecy (typically in the data processing agreement).
Appendix 3 –
Current Sub-processors
Name | Function | Data Categories Processed | Server Location | Transfer Mechanism |
|---|---|---|---|---|
Cloud Platform Hosting & Compute-Infrastructure Gemini / Vertex AI LLM-Inference (Standard Model) Cloud SQL / Firestore Database & Data Storage | All categories | EU | Google LLC is EU-US Data Privacy Framework certified; SCCs as fallback; | |
Microsoft | Azure Hosting & Compute-Infrastructure Azure OpenAI Service LLM-Inference (Standard Model) | All categories | EU | No transfer — EU entity, EU processing, |
Mistral AI | LLM Inference (Standard Model) | User Activity Data, Configuration & Programme Data | EU | No transfer — EU entity, EU processing |
Anthropic / Claude | LLM Inference (Standard Model) | User Activity Data, Configuration & Programme Data | USA | EU SCCs, Module 3 (Processor-to-Processor), automatically incorporated into Anthropic's DPA |
Twilio | Messaging Infrastructure | Personal Identification Data, User Activity Data | USA | Twilio has Binding Corporate Rules (BCRs) and SCCs in place |
Zitadel | User Management & Authentication | Authentication & Account Data | EU | No transfer — EU entity, EU processing |
Notion | Ticketing & Internal Documentation | Support Data | USA | EU SCCs automatically incorporated into Notion's DPA |
Stripe | Billing & Payment Processing | Payment & Subscription Data | USA (some processing) | EU entity; EU–US Data Privacy Framework + SCCs |
Heap Analytics | Product Analytics | Technical & Operational Data | USA | EU SCCs; |
PostHog | Product Analytics | Technical & Operational Data | EU | No transfer — EU entity, EU processing |
Slack | Internal Collaboration | Internal Operational Data | EU | […] |
This table lists the Sub-processors currently engaged by the Data Processor and the categories of data and general processing location relevant to each. Full details of the contracting entity, registered address, and specific transfer safeguards relied upon for each Sub-processor are maintained on an up-to-date basis and are available to the Controller on request.