# Sub-processors

**Doc type:** Public sub-processor list (linked from [`/privacy.html`](../privacy.html)).
**Last updated:** 2026-05-26
**Notification commitment:** We notify enterprise customers in writing at least 30 days before a new sub-processor begins processing their data, or before an existing sub-processor's role materially changes.

## Definitions

A **sub-processor** is any third party we engage that processes personal data on our behalf as part of delivering the course or related services. Each sub-processor below is bound by a written Data Processing Agreement (DPA) compliant with Article 28 RGPD. Where the entity is not established in the EU, EU Standard Contractual Clauses (Module 2 — controller-to-processor) are in place; supplementary measures are noted per the Schrems II ruling (CJEU C-311/18) and the EU-US Data Privacy Framework (DPF) where applicable.

## Sub-processor list

| Sub-processor | Service | Data categories | Storage region | Entity location | Transfer mechanism | DPA URL |
|---|---|---|---|---|---|---|
| **Supabase Inc.** | Primary database + object storage (Postgres EU; `devis-pdfs` + `po-uploads` buckets) | All learner + cohort + quote + payment metadata + storage objects | Frankfurt (eu-central-1) | Delaware, USA — operates EU infrastructure via AWS Frankfurt | Supabase DPA + EU SCCs + EU-US DPF (Supabase certified) | <https://supabase.com/legal/dpa> |
| **Netlify Inc.** | Site hosting + serverless function runtime | Server access logs (IP, user-agent), function execution metadata | EU edge where supported (Frankfurt, Paris); function regions configured EU-first | San Francisco, USA — operates EU edge nodes | Netlify DPA + EU SCCs + EU-US DPF (Netlify certified) | <https://www.netlify.com/gdpr-ccpa/> |
| **Stripe Payments Europe Ltd.** | Payment processing, invoicing | Buyer email, name, billing address, card data (held by Stripe), payment metadata | Ireland (EU) | Dublin, Ireland — EU-internal | EU-internal (no SCCs required); residual US affiliate access covered by Stripe DPA | <https://stripe.com/legal/dpa> |
| **Resend Inc.** | Transactional email (magic links, receipts, completion notices) | Recipient email, name, subject, body, delivery logs (30 days) | EU region (Frankfurt) | Delaware, USA — operates EU region | Resend DPA + EU SCCs | <https://resend.com/dpa> |
| **Anthropic PBC** | AI inference for the Tux support bot | User question text, optional course context | US — no training on inputs (Zero Data Retention DPA) | San Francisco, USA | Anthropic DPA + EU SCCs + EU-US DPF (Anthropic certified). Inputs not used for model training | <https://www.anthropic.com/legal/dpa> |
| **Insee (Institut national de la statistique et des études économiques)** | Public SIRET validation API | SIRET number only (no PII) | France | Paris, France | Public open-data; no DPA required | <https://api.insee.fr> |
| **Plausible Analytics OÜ** (when enabled) | Privacy-preserving site analytics | No personal identifiers — cookieless, IP-hashed anonymously | EU (Frankfurt) | Tallinn, Estonia — EU-internal | EU-internal; no SCCs | <https://plausible.io/dpa> |

## CLOUD Act residual risk

Three of our sub-processors (Supabase Inc., Netlify Inc., Resend Inc., Anthropic PBC) are headquartered in the United States. While storage and processing for our account is configured in EU regions, the parent entities are theoretically subject to the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018), under which US courts may compel a US-headquartered provider to disclose data regardless of where it is stored.

We have assessed this risk and apply the following supplementary measures (post-Schrems II):

1. **Data residency**: all our accounts are configured for EU-only storage.
2. **Encryption at rest**: AES-256 with provider-managed keys; bring-your-own-key (BYOK) is on the roadmap for Tier 2 customers.
3. **EU-US DPF certification**: where the provider is DPF-certified, transfers benefit from the European Commission's adequacy decision of 10 July 2023.
4. **Standard Contractual Clauses**: in place with all non-EU entities even where DPF applies (belt-and-braces).
5. **Documented residual risk**: this section, available to enterprise customers during procurement.
6. **Tier 2 escalation path**: customers with strict French national-security requirements (Defence, Interior, Justice ministries, OIV-classified entities) are routed to a Tier 2 deployment on OVH SecNumCloud — an ANSSI-qualified sovereign cloud where no US-headquartered entity is in the data path. Tier 2 is not yet active but is on the doctrine gate #4 roadmap; customers will be quoted on the Tier 2 SLA before the convention is signed.

## Sub-processor change procedure

1. New sub-processor evaluated for: (a) data category exposure, (b) regional fit, (c) DPA terms, (d) certifications (ISO 27001 / SOC 2 / DPF).
2. DPA + SCCs signed; supplementary measures assessed and documented.
3. This document updated.
4. Enterprise customers notified by email at least 30 days before the new sub-processor begins processing their data.
5. Customer's right to object: any enterprise customer may object within the notification period. We will either propose an alternative arrangement or, if no alternative is workable, allow the customer to terminate the contract without penalty.

## Removal of a sub-processor

If we decommission a sub-processor:
1. All personal data is exported / migrated to the replacement sub-processor or to our own infrastructure.
2. The decommissioned sub-processor is contractually required to confirm deletion of all our data, with a written attestation, within 30 days of termination.
3. This document is updated and customers are notified.

## Changelog

| Date | Change |
|---|---|
| 2026-05-26 | Initial production list. Supabase EU (Frankfurt) added as primary data store. Airtable removed (legacy dual-write retained for cutover window only; will be removed in Phase A3). |