Compliance · Article 11.8
Sub-processors: who Clozo uses, where data goes, and why it's safe
Clozo uses 10 sub-processors to deliver the service (per Privacy Policy §6); 6 are EU-based, 5 are US-based with active EU-US Data Privacy Framework certification + Standard Contractual Clauses + supplementary measures documented in our Transfer Impact Assessment. Crisp added in BATCH-2026-05-07-003 BUG-001.
Modern SaaS runs on third-party infrastructure. The question for GDPR is not "do you use third parties?" but "do you control the relationship and document the safeguards?" Clozo maintains a published list of every sub-processor, the data they receive, and the legal mechanism for transfers outside the EU. This article walks through the list, the categories, and the Schrems II framework that governs US transfers.
Why this works this way
The full sub-processor list (mirrors docs/compliance/RoPA.md "Sub-Processors List" and Privacy Policy §6 — 10 entries):
| # | Sub-processor | Function | Region | Transfer mechanism |
|---|---|---|---|---|
| 1 | Stripe Payments Europe Ltd + Stripe Inc. | Subscription billing + payment processing (EU-side controller in Ireland; US-side processor for some operations) | Ireland (primary) + US (Delaware) | Internal EU + EU-US DPF + SCCs Module 2 |
| 2 | Railway Corp. | Backend + Celery + PostgreSQL hosting | EU (region: europe-west4, Netherlands) | EU-US DPF + SCCs (control plane in US) |
| 3 | Cloudflare Inc. | Edge CDN, DDoS, Workers (frontend, marketing site, admin) | Global edge with EU-region routing for ingress | EU-US DPF + SCCs |
| 4 | PostHog Inc. | Product analytics — ingestion on EU servers (eu.i.posthog.com) | UK headquarters; EU instance hosted in Frankfurt, Germany | UK adequacy decision + SCCs |
| 5 | Google Ireland Ltd + Google LLC | Google Ads + GA4 conversion attribution | Ireland (controller) → US (processor) | EU-US DPF + Google SCCs |
| 6 | Resend Inc. | Transactional email delivery | US (Delaware), with EU-Frankfurt delivery infrastructure | EU-US DPF + SCCs Module 2 + Resend DPA |
| 7 | Gotenberg | PDF rendering — self-hosted on Railway | EU (within Railway) | Internal EU |
| 8 | Cloudflare R2 | Object storage for PDFs and e-invoice XML | EEA region | Internal EU |
| 9 | Crisp IM SAS + Crisp IM, Inc | Customer support chat (consent-gated) | France (primary) + US | EU-US DPF + SCCs |
| 10 | Sentry (Functional Software, Inc.) | Error monitoring | EU region (de.sentry.io) | Internal EU (with US fallback under SCCs if EU instance fails) |
The Schrems II framework. The Court of Justice of the European Union ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18, 2020) struck down the EU-US Privacy Shield, ruling that US surveillance law (specifically FISA Section 702 and Executive Order 12333) does not provide protection "essentially equivalent" to GDPR for EU personal data transferred to the US. Two consequences:
1. SCCs (Standard Contractual Clauses) remain valid as a legal mechanism — Decision (EU) 2021/914 published the new modular SCCs in 2021 — but the controller must assess whether the importer can in practice meet GDPR-equivalent protection given local surveillance law. This assessment is the Transfer Impact Assessment (TIA). 2. Supplementary measures (encryption, pseudonymisation, data minimisation) may be needed where local law would otherwise enable disproportionate access.
The EU-US Data Privacy Framework (DPF), in force 10 July 2023 (Commission Implementing Decision (EU) 2023/1795), re-establishes adequacy for participating US importers. Companies certify with the US Department of Commerce; certifications are listed at https://www.dataprivacyframework.gov/list. All five Clozo US sub-processors maintain active DPF certification as of the document version date.
Clozo's TIA approach (full document at docs/compliance/TIA_us_subprocessors.md):
For each US sub-processor we apply the EDPB Recommendations 01/2020 six-step methodology:
1. Know your transfers: documented in the table above with volume + purpose + lawful basis.
2. Identify the transfer tool: DPF (primary) + SCCs Module 2 (backup) + sub-processor-specific DPA.
3. Assess effectiveness: per-importer review of FISA 702 / EO 12333 / CLOUD Act exposure.
4. Adopt supplementary measures: pseudonymisation (SHA-256 hashing for Google), data minimisation (no PII beyond necessary), encryption at rest and in transit, retention limits.
5. Procedural steps: sign DPA, verify active DPF certification annually, document the TIA, update RoPA recipients field, update Privacy Policy s5/s6.
6. Re-evaluate: triggered by Schrems-III court ruling, DPF withdrawal, or sub-processor change.
Key per-importer assessments (from the TIA):
- Stripe: not designated as an Electronic Communication Service Provider under FISA 702 (it's a payment processor under Bank Secrecy Act). Risk LOW. DPF + SCCs sufficient. - Resend: email service — could plausibly be classified as ECSP, but volume is small + content is transactional (no marketing, no targeting). Risk LOW with supplementary measures. - Google: historically named in FISA 702 directives. Mitigation: we send only SHA-256-hashed identifiers + click IDs + transaction values — irreversible without cleartext, pseudonymous, aggregated. Consent Mode v2 attached to every upload. Net: DPF + SCCs + pseudonymisation = "essentially equivalent protection". - PostHog: ingest is on EU servers; only operational support (debugging, on-call) may transit US. Pseudonymous IDs only. Net: DPF + SCCs + EU ingest jurisdiction = adequate. - Cloudflare: potentially classified as ECSP for FISA 702 (CDN role). Mitigation: data minimisation (only IP + path + status code, no payload). Transparency reports show ~0 FISA orders for non-US small-volume properties. Net: DPF + SCCs + edge minimisation adequate.
New sub-processor process (Art. 28(2)): Clozo's Terms grant general consent to use sub-processors. When we add a new one, we:
1. Update the sub-processor list in this article + RoPA.md + Privacy Policy s5/s6.
2. Notify all existing customers via email at least 30 days in advance.
3. The 30-day window is your objection period — if you object on legitimate grounds, you can terminate the contract with refund of any prepaid fees.
4. Update the relevant ProcessingActivity row's recipients field in production.
Troubleshooting
Keep reading
Compliance
GDPR: what Clozo stores about you, why, and for how long
Clozo runs 13 distinct processing activities under GDPR Art. 30. Each one has a documented purpose, a lawful basis under Art. 6(1), a recipient list, and a retention window. This article is the user-facing summary of our Records of Processing Activities.
Compliance
Data-subject requests: how clients exercise GDPR rights and what you must do
Articles 15–22 GDPR give your clients the right to access, correct, port, or erase the personal data you hold about them. As a controller of *your* clients' data, you have one month to respond. Clozo's tooling helps you answer each request efficiently.