Subprocessors
Version 2026-04-21.1 · Effective 21 April 2026
This page is the authoritative list of third-party organisations we engage to process personal data on behalf of our customers (“Subprocessors”) under Article 28(2)-(4) of the GDPR. It is maintained alongside our Data Processing Addendum and is referenced from the DPA as its Annex III.
1. Our commitments
- We impose equivalent data-protection obligations on every Subprocessor by written contract (standard DPA terms, Standard Contractual Clauses where transfers leave the EEA, and confidentiality).
- We conduct due diligence on each Subprocessor’s information security posture (certifications, published sub-processor lists, historical incidents) before engagement.
- We notify customers at least 30 days in advance of engaging a new Subprocessor or expanding an existing one’s role, via email to the billing contact and an update to this page.
- Customers may object to the engagement of a new Subprocessor by writing to contact@synaptico.ai within the notice window. We will work in good faith to offer a commercially reasonable alternative; if no alternative is agreed, the customer may terminate the affected Service for cause without penalty.
2. Core infrastructure & processing
The following Subprocessors are essential to delivering the platform and cannot be disabled on a per-customer basis. Customer Data storage and processing is concentrated in the EU, primarily in Frankfurt.
| Subprocessor | Purpose | Personal data scope | Location & transfer basis | Provider |
|---|---|---|---|---|
| Render (Render Services, Inc.) | Application hosting, container runtime, managed Postgres database, managed Redis. | All Customer Data processed by the backend API (at rest in the Render Postgres instance; in flight inside the application container). | Frankfurt, Germany (EU region). Data does not leave the EU region. | Website ↗ |
| Vercel Inc. | Edge hosting and CDN for the Next.js frontend; static asset delivery. | No direct access to Customer Data. Processes request metadata (IPs, user-agents) inherent to serving HTTPS traffic. Routes authenticated requests to the backend without durable storage. | Frankfurt edge region for EU traffic. Vercel corporate is US-based; EU traffic is served from EU edge nodes. | Website ↗ |
| Stripe Payments Europe, Ltd. | Payment processing, subscription management, invoicing, VAT handling. | Billing name, email, payment instrument details (Stripe-tokenised — we never see raw card data), billing address. | Ireland (EU). Stripe is a payment service provider under its own GDPR posture and Schrems-II SCCs. | Website ↗ |
| Google LLC — Workspace (Gmail SMTP) | Outbound transactional email (welcome, payment receipts, contact-form replies) sent from contact@synaptico.ai. | Recipient email address, email body including any personal data we choose to include (names, billing amounts, FRIA notifications). | Ireland primary, with fallback to other Google EU regions. SCCs in place for any incidental transfer. | Website ↗ |
| Anthropic PBC | LLM inference for compliance analysis, classification and drafting features. Optional — toggleable per-feature. | Customer Data excerpts the user explicitly submits to an AI-powered feature (prompts, uploaded document text). | United States. Data processed under Anthropic's zero-training policy and our DPA; EU-US Data Privacy Framework SCCs apply. | Website ↗ |
| Google LLC — Gemini / Vertex AI | LLM inference (primary provider for classification and drafting). | Same scope as Anthropic above. Google processes prompts under its Vertex AI data-protection terms. | Ireland (EU multi-region for Vertex AI). | Website ↗ |
| OpenAI, L.L.C. | Optional LLM inference for specific features (backup provider). | Same scope as Anthropic. Used under the OpenAI Enterprise / API zero-retention API policy where available. | United States. EU-US DPF SCCs apply. | Website ↗ |
| Perplexity AI Inc. | Structured web research inside the regulatory knowledge pipeline. | Queries constructed from Customer Data (entity names, vendor names). Results are public web content, not personal data. | United States. | Website ↗ |
| SerpAPI Inc. | Google search results used by the regulatory knowledge pipeline. | Queries derived from Customer Data, as above. | United States. | Website ↗ |
| Sentry (Functional Software, Inc.) | Error and performance tracking. Only active when a DSN is configured in the deployment. | Stack traces and request metadata. Explicitly configured with `send_default_pii: false` so IPs, cookies and form values are not transmitted. | EU region (de.sentry.io) when deployed with an EU DSN. | Website ↗ |
| Google LLC — Google Analytics 4 | Aggregate usage analytics on the marketing site and in-app funnels. Loaded only after explicit user consent via our cookie banner. IP anonymisation enabled. | Pseudonymous client identifiers, page paths, consented event parameters. Cross-device linking disabled. | EU region (Consent Mode v2 + IP anonymisation). SCCs apply for any incidental transfer. | Website ↗ |
| Amazon Web Services, Inc. | Object storage (S3) for uploaded evidence documents. | Customer-uploaded files including any personal data contained therein. | eu-central-1 (Frankfurt). Server-side encryption with AWS-managed keys. | Website ↗ |
3. Optional Subprocessors
Certain features rely on Subprocessors that can be disabled at the organisation level. When disabled, the feature itself is unavailable rather than falling back to a cheaper provider — we never silently re-route Customer Data.
- LLM providers (Anthropic, OpenAI, Gemini): disabled organisations see manual-only workflows for classification and drafting.
- Sentry error tracking: disabled organisations do not send crash diagnostics.
- Google Analytics: fires only for visitors who have explicitly consented through our cookie banner.
4. Cross-border transfers
Whenever a Subprocessor processes Customer personal data outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (2021/914) as the transfer mechanism, supplemented by the provider’s own certifications (EU-US Data Privacy Framework adherence, ISO 27001, SOC 2). Where the provider has self-certified under the EU-US DPF, we rely on that self-certification as the primary basis.
The EU-sovereign posture of the platform is concentrated on the storage layer: all durable Customer Data lives in Frankfurt, Germany. LLM inference may briefly touch third-country providers under the terms above, but is never the system of record.
5. Updates to this page
We maintain this page as a durable URL. Material changes are versioned (see header) and announced via email to the primary billing contact on file. Customers can subscribe to updates (no new email) by bookmarking this page and monitoring the version string.
6. Questions
For due-diligence questionnaires, DPA-related questions, or to raise an objection to a new Subprocessor, contact contact@synaptico.ai — we route DPO-grade questions to the appropriate owner within one working day.
Synaptico · Avenue de Mai 32, 1200 Bruxelles, Belgium · 455 Market Street, San Francisco, CA 94105 · Data & infrastructure hosted in Frankfurt, Germany · Fully EU-sovereign.