Sub-processors — Attestia.eu
The Polish version is legally binding. In case of any discrepancy between the Polish and English versions, the Polish version shall prevail. The English version is provided for information.
Version: 1.0 Effective date: 2026-04-22 Last updated: 2026-04-22 Related documents:
- Terms § 10 + Annex 1 (DPA) — attestia.eu/terms
- Privacy Policy section 6 — attestia.eu/privacy
- Security — attestia.eu/security
1. What is the sub-processor list
Pursuant to Art. 28(2) and (4) GDPR and Art. 5 of the DPA (Annex 1 to the Terms), Attestia — as a processor — provides Organisations (controllers) with the current list of further processors ("sub-processors") engaged in connection with delivery of the Platform.
This page is the sole binding source of the current sub-processor list. In case of discrepancy between this list and copies published elsewhere (Privacy Policy, Terms), this page prevails — noting that the Terms and Privacy Policy are updated in parallel.
Capitalised terms have the meaning given in the Terms.
2. Current sub-processor list
| # | Sub-processor | Role | Data scope | Location | Transfer | DPA |
|---|---|---|---|---|---|---|
| 1 | Supabase (Pty) Ltd (via Amazon Web Services) | Database hosting, authentication, Audit Log | Account data, Organisation Data, Compliance Documents, Audit Log | EU — Frankfurt (eu-central-1) | Within EU/EEA | ✅ Signed |
| 2 | Microsoft Corporation (Azure OpenAI) | AI processing (Risk Classification, Compliance Document generation) | AI System descriptions (pseudonymised — no Organisation name, no personal data) | EU — Sweden Central (swedencentral) | Within EU/EEA; transient processing — no retention | ✅ Signed (Azure OpenAI Enterprise Agreement) |
| 3 | Vercel, Inc. | Application hosting (edge runtime) | No persistent personal data | EU — edge nodes (Frankfurt, Paris) | Within EU/EEA | ✅ Signed |
| 4 | Stripe, Inc. (and Stripe Payments Europe, Ltd.) | Payment processing — independent controller of payment data | Billing details (company name, address, VAT, EU VAT), transaction data | Ireland (EU) + USA | US transfers under SCC + EU-U.S. Data Privacy Framework (DPF) | ✅ Signed |
| 5 | Resend, Inc. | Transactional email delivery | User email address, transactional message content | USA | Standard Contractual Clauses (SCC) — Commission Decision 2021/914 | ✅ Signed |
Active sub-processors: 5.
3. Optional external authentication tools
The tools below are engaged only if the User chooses to use them at registration or login (alternative to email + password). If the User uses only email + password, their data is not shared with these providers.
| Provider | Role | Location | Transfer |
|---|---|---|---|
| Google LLC | OAuth — login via Google account | USA | SCC + EU-U.S. Data Privacy Framework (DPF) |
| GitHub, Inc. | OAuth — login via GitHub account | USA | SCC + EU-U.S. Data Privacy Framework (DPF) |
Data scope: OAuth identifier, email address (only to the extent necessary for Account identification). Scope limited to email + profile.
4. Change notification process
Under Art. 5 of the DPA (Annex 1 to the Terms):
-
Notice period: Attestia will notify Organisations of any intended addition or replacement of a sub-processor with at least 30 days' notice before the planned change.
-
Notification channels:
- via email to the Account Owner,
- via in-app notification,
- via update to this page (with publication date).
-
Right to object:
- An Organisation with reasonable objections may object within 30 days of receipt of the notification.
- The parties negotiate a solution.
- If no solution is reached within 30 days of the objection, the Organisation has the right to terminate the contract with immediate effect, with a proportional refund of the fee for the unused Billing Period.
-
Form of objection: email to privacy@attestia.eu with subject
[OBJECTION: SUB-PROCESSOR]and justification. -
Obligations on new sub-processors: Attestia ensures that every new sub-processor is bound by the same data-protection obligations as those in the DPA (Annex 1 to the Terms) — in particular Art. 28(3) GDPR obligations and Annex A (Technical and Organisational Measures).
5. Transfers outside the EEA
| Sub-processor | Location | Transfer mechanism |
|---|---|---|
| Resend, Inc. | USA | SCC (Commission Decision 2021/914) |
| Stripe, Inc. (selected operations) | USA | SCC + EU-U.S. Data Privacy Framework (DPF) |
| Google LLC (OAuth — optional) | USA | SCC + EU-U.S. Data Privacy Framework (DPF) |
| GitHub, Inc. (OAuth — optional) | USA | SCC + EU-U.S. Data Privacy Framework (DPF) |
Attestia does NOT transfer outside the EEA:
- Organisation Data (AI System descriptions, questionnaire answers, evidence files),
- generated Compliance Documents,
- data processed by Azure OpenAI (Sweden Central region, within the EU).
6. Recipients who are not sub-processors
The following entities may receive data in a defined scope but are not sub-processors within the meaning of Art. 28 GDPR:
| Recipient | Scope | Legal basis |
|---|---|---|
| Accounting firm | Invoicing data (bookkeeping) | Art. 6(1)(c) GDPR (Polish Accounting Act) + accounting services agreement |
| Law firms and advisors | Data necessary for pursuing/defending claims | Art. 6(1)(f) GDPR (legitimate interest) |
| Public authorities | Data to the extent required by law (UODO, court, tax authority) | Art. 6(1)(c) GDPR |
7. Sub-processor vetting procedure
Every new sub-processor, before being added to the list, is assessed for:
- GDPR compliance — execution of a DPA with Attestia compliant with Art. 28 GDPR, including an Annex on technical and organisational measures (Art. 32 GDPR).
- Data location — preference for EU/EEA regions; transfers outside the EEA only with an adequate mechanism (SCC / DPF / adequacy decision).
- Security — certifications (ISO 27001, SOC 2), incident history, security posture.
- Financial stability — minimising supply-chain risk arising from bankruptcy/withdrawal.
- Interoperability — ability to migrate to an alternative provider without loss of compliance functionality.
Assessment results are documented in an internal Attestia register.
8. Changelog
| Date | Version | Change | Reason |
|---|---|---|---|
| 2026-04-21 | 1.0-draft | Initial list created (Supabase, Microsoft Azure OpenAI, Vercel, Stripe, Resend) | MVP launch |
Historical versions are archived and available on request to privacy@attestia.eu.
9. Notification subscription
Organisations receive change notifications automatically at the Account Owner's email. Additionally, any interested person (e.g. customer DPO, compliance officer) may subscribe to a dedicated notification channel by sending a request to privacy@attestia.eu with subject [SUBPROCESSOR UPDATES SUBSCRIPTION].
10. Contact
| Sub-processor enquiries | privacy@attestia.eu |
| Objection submissions | privacy@attestia.eu (subject: [OBJECTION: SUB-PROCESSOR]) |
| Subscribe to notifications | privacy@attestia.eu (subject: [SUBPROCESSOR UPDATES SUBSCRIPTION]) |
| Postal address | Trimalert sp. z o.o., ul. Przasnyska 7/319, 01-756 Warsaw, Poland |