We use essential cookies to keep ESGdesk™ running. No advertising or tracking cookies are used. By continuing, you accept our use of essential cookies.

    Privacy Policy
    Have a question?

    Sub-processors

    The authoritative list of third-party service providers ("sub-processors") engaged by ESGdesk™ to deliver and support the platform. Mirrors DPA v2.0 Annex C.

    Aligned with DPA v2.1 | Last updated: April 30, 2026

    ESGdesk™ provides 30 days advance notice to Customers before adding or replacing any sub-processor (per DPA v2.0 Section 6.3). Customers may object to changes in accordance with the procedure set out in the Data Processing Agreement (DPA).

    #Sub-processorRoleLocationTransfer mechanismNotes
    1Google Ireland Ltd. (Gemini AI)AI document scanning & ELISA assistantIreland (EU); USA processingStandard Contractual Clauses (SCCs)
    2Stripe Payments Europe, Ltd.Subscription billing & payment processingIreland (EU); processing also in USAStandard Contractual Clauses (SCCs)
    3Fakturownia sp. z o.o.VAT invoice generation (EU customers)Poland (EU)EU hosting (no transfer)
    4Resend, Inc.Transactional email delivery (no-reply@esgdesk.ai)USA; EU edge deliveryStandard Contractual Clauses (SCCs)
    5Lovable Technologies ABApplication hosting, build & deployment, and underlying backend infrastructureEU (Sweden)EU hosting (no transfer)Operating Supabase infrastructure for backend (Database, Auth, Storage, Edge Functions). Supabase Inc. acts as a sub-sub-processor under Lovable.
    6Functional Software, Inc. (Sentry)Error monitoring & diagnostics (frontend & backend)EU (Frankfurt) ingest; USA control planeStandard Contractual Clauses (SCCs)
    7Cloudflare, Inc.CDN, DNS, social preview worker (news subdomain)Global edge; USA control planeStandard Contractual Clauses (SCCs)

    International transfers

    Where sub-processors are located outside the European Economic Area (EEA), transfers are protected by the Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU-US Data Privacy Framework (DPF) for certified providers. See the "Transfer mechanism" column above for the specific safeguard applicable to each provider.

    Related documents