Home โ€บ Sub-processors

Sub-processors

Last updated: 12 May 2026

Legal framework

Pro Digital Key relies on third parties (sub-processors) to deliver its services. Each sub-processor processes personal data on our behalf and under our instructions, pursuant to data processing agreements (DPAs) entered into under Article 28 of the GDPR.

Where processing involves transfer outside the European Economic Area (EEA), we apply one of the safeguards in Chapter V of the GDPR (Articles 44 to 49): a European Commission adequacy decision, Standard Contractual Clauses (SCCs — Decision 2021/914), or the EU-US Data Privacy Framework (DPF).

Current list of sub-processors

  • Anthropic, PBC — Content analysis and generation via the Claude API. Location: United States. Transfer basis: SCCs + EU-US DPF.
  • Twilio Inc. — Transactional SMS delivery. Location: United States. Transfer basis: SCCs + DPA + EU-US DPF.
  • Amazon Web Services EMEA SARL (SES) — Transactional email delivery. Location: Ireland (EU/EEA). Transfer basis: not applicable.
  • Emailit LTD — Email fallback delivery. Location: United Kingdom. Transfer basis: EU–UK adequacy decision (2021).
  • Google Ireland Limited (Google Workspace) — Business mailbox and commercial communications. Location: Ireland (EU/EEA), with processing by group entities in the US. Transfer basis: SCCs + EU-US DPF.
  • Contabo GmbH — Application server hosting (VPS). Location: Germany (EU/EEA). Transfer basis: not applicable.
  • pCloud AG — Encrypted off-site backups. Location: Switzerland. Transfer basis: Adequacy Decision 2000/518/EC.
  • Google Ireland Limited (Google Drive) — Encrypted off-site backups. Location: Ireland (EU/EEA), with processing in the US. Transfer basis: SCCs + EU-US DPF.
  • Amazon Web Services EMEA SARL (S3) — Encrypted off-site backups. Location: Ireland (EU/EEA). Transfer basis: not applicable.

Local components (not sub-processors)

The following components do not qualify as external sub-processors because they do not involve the transfer of personal data to third parties:

  • MaxMind GeoLite2 — database downloaded and queried locally on our servers; no data is sent back to MaxMind.
  • GlitchTip — error-monitoring system hosted on our own infrastructure.

Your rights

Under Article 13(1)(f) of the GDPR, you have the right to be informed of these international transfers and, upon request, to obtain a copy of the safeguards in place. You may also object to processing by a specific sub-processor (Article 21) by contacting [email protected].

Changes

This list is updated as our infrastructure evolves. We undertake to notify material changes by email to data subjects with an active relationship with us, with at least 14 days' notice, allowing the right of objection to be exercised before the change takes effect.

Questions about any of these sub-processors?

Privacy Policy