External Processors and International Transfers
This register describes service providers used or reserved by the EU/GDPR test deployment. The production register must be reviewed before launch and reflected in contracts, DPAs and transfer impact assessments.
Paid billing is disabled during Open Beta. Disabled/planned providers below are documented so they cannot be activated silently without legal and technical review.
Processor register
| Service | Status | Purpose | Data categories | Country / transfer |
|---|---|---|---|---|
| Hosting provider | active | Application hosting, storage, database and static files. | Account data, assessment inputs, reports, audit/security logs. | Georgia planned/current test hosting. SCC + transfer impact assessment required if outside EEA and no adequacy decision applies. |
| Hostinger SMTP | active | Registration verification, password reset and transactional email. | Email address, one-time tokens, minimal message metadata. | EU/other. DPA/SCC where applicable. |
| DeepSeek API | active | Optional LLM additional report generation. | Assessment facts needed for the report. Payment card data is never sent. | Third country. DPA/SCC + transfer impact assessment before production release. |
| Google Tag Manager / Google Analytics | consent-gated | Optional analytics and product improvement. | Cookie/device identifiers and usage events only after analytics consent. | EU/US. Consent required; DPA/SCC where applicable. |
| Application logging | active | Security, error diagnosis and audit trail. | IP address, user id where authenticated, endpoint, user agent, security events. | Stored with application hosting. Access must be restricted to authorised staff. |
| Support mailbox | active | Customer support, complaints and privacy requests. | Email address, request content, attachments voluntarily provided by the user. | EU/other. DPA/SCC if outside EEA. |
| Payment provider | disabled | Checkout, invoices, VAT and refunds when paid billing launches. | Billing identity and payment tokens. AiActs must not store PAN/CVV. | TBD. PCI DSS provider, DPA and VAT/invoice process required before activation. |
| CDN provider | not used | Static asset delivery if future scale requires CDN. | IP address, request headers, static asset logs. | TBD. DPA/SCC required before activation. |
Transfer safeguards
- Minimise data sent to each provider.
- Keep optional analytics and marketing disabled until the user consents.
- Use DPAs and Standard Contractual Clauses where data leaves the EEA without an adequacy decision.
- Review subprocessors before paid public release.
- For a Russian RU-instance, review whether foreign providers trigger Roskomnadzor notification or localisation restrictions.
Version 1.1 · Open Beta · EU/GDPR test deployment
Home · Privacy · Terms · Consent · Legal notice