ESGdesk™ provides 30 days advance notice to Customers before adding or replacing any sub-processor (per DPA v2.0 Section 6.3). Customers may object to changes in accordance with the procedure set out in the Data Processing Agreement (DPA).
| # | Sub-processor | Role | Location | Transfer mechanism | Notes |
|---|---|---|---|---|---|
| 1 | Google Ireland Ltd. (Gemini AI) | AI document scanning & ELISA assistant | Ireland (EU); USA processing | Standard Contractual Clauses (SCCs) | — |
| 2 | Stripe Payments Europe, Ltd. | Subscription billing & payment processing | Ireland (EU); processing also in USA | Standard Contractual Clauses (SCCs) | — |
| 3 | Fakturownia sp. z o.o. | VAT invoice generation (EU customers) | Poland (EU) | EU hosting (no transfer) | — |
| 4 | Resend, Inc. | Transactional email delivery (no-reply@esgdesk.ai) | USA; EU edge delivery | Standard Contractual Clauses (SCCs) | — |
| 5 | Lovable Technologies AB | Application hosting, build & deployment, and underlying backend infrastructure | EU (Sweden) | EU hosting (no transfer) | Operating Supabase infrastructure for backend (Database, Auth, Storage, Edge Functions). Supabase Inc. acts as a sub-sub-processor under Lovable. |
| 6 | Functional Software, Inc. (Sentry) | Error monitoring & diagnostics (frontend & backend) | EU (Frankfurt) ingest; USA control plane | Standard Contractual Clauses (SCCs) | — |
| 7 | Cloudflare, Inc. | CDN, DNS, social preview worker (news subdomain) | Global edge; USA control plane | Standard Contractual Clauses (SCCs) | — |
International transfers
Where sub-processors are located outside the European Economic Area (EEA), transfers are protected by the Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU-US Data Privacy Framework (DPF) for certified providers. See the "Transfer mechanism" column above for the specific safeguard applicable to each provider.
