ZappService
Home Tools Articles Pricing
Login Start Free

Subprocessor Registry

Last updated: January 20, 2025

This document lists all sub-processors engaged by ZappService (NevergetOld, Lda.) to process customer data on behalf of our customers.

This registry is maintained in accordance with Article 28(2) of the EU General Data Protection Regulation (GDPR) and our Data Processing Agreement.

What is a Subprocessor?

A subprocessor is any third-party service provider engaged by ZappService to assist in delivering our services to you. These providers may have access to or process customer data as part of providing infrastructure, support, or other operational services.

All subprocessors are carefully vetted and bound by data processing agreements that ensure they handle personal data in compliance with GDPR and our security standards.

How We Notify You of Changes

In accordance with Section 5.5 of our Data Processing Agreement:

  • 30-Day Notice: We provide written notice at least 30 days before engaging any new subprocessor or replacing an existing one
  • Notice Method: Email to your primary contact and in-dashboard notifications
  • Your Right to Object: You may object to any new subprocessor within 30 days if you have reasonable grounds related to data protection compliance

Current Subprocessors

Infrastructure & Hosting

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | OVH SAS | France (EU) | VPS hosting, database hosting, primary infrastructure | All customer data including personal data, service requests, activities, contracts | GDPR applies (EU-based) | | Cloudflare, Inc. | USA (with EU data centers) | Content delivery network (CDN), DDoS protection, DNS services, R2 file storage (EU region) | IP addresses, HTTP headers, cached content, uploaded files and attachments | EU Standard Contractual Clauses (SCCs) + EU data centers |

Communication & Email

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | Amazon Web Services EMEA SARL | Ireland (EU) | Email delivery via Amazon SES | Email addresses, email content, notification data | GDPR applies (EU-based) | | Postmark (Wildbit, LLC) | USA (with EU servers) | Transactional email delivery | Email addresses, recipient names, email content | EU Standard Contractual Clauses (SCCs) |

Payment Processing

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | Stripe, Inc. | USA (with EU operations) | Payment processing, subscription management | Customer names, email addresses, payment methods, billing addresses | EU Standard Contractual Clauses (SCCs) + PCI DSS certified | | Paddle.com Market Limited | UK | Payment processing for certain regions | Customer names, email addresses, billing information | UK Adequacy Decision + GDPR compliance |

AI & Voice Processing

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | Mistral AI | France (EU) | Voice-to-text transcription (Voxtral model) | Temporary audio files (deleted within 5 seconds), transcribed text | GDPR applies (EU-based) | | OpenRouter (Helicone, Inc.) | USA | AI model routing for natural language understanding | Transcribed text only, anonymized queries | EU Standard Contractual Clauses (SCCs) | | Google Ireland Limited | Ireland (EU) | Code analysis via Gemini API (development only) | Source code (anonymized, no customer data) | GDPR applies (EU-based) |

Analytics & Monitoring

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | Umami Software | EU (self-hosted) | Privacy-focused website analytics | IP addresses (anonymized), page visits, referrers | GDPR applies (self-hosted in EU) | | Sentry (Functional Software, Inc.) | USA (with EU option) | Error tracking and application monitoring | IP addresses, error logs, stack traces | EU Standard Contractual Clauses (SCCs) |

Development & Support Tools

| Subprocessor | Location | Purpose | Data Categories | Transfer Mechanism | |--------------|----------|---------|-----------------|-------------------| | GitHub, Inc. (Microsoft) | USA | Code repository hosting | Source code, commit history (no customer data) | Not applicable (no customer personal data) | | Laravel Forge (Taylor Otwell) | USA | Server provisioning and deployment | Server metadata, deployment logs | Not applicable (infrastructure only) |

Data Processing Principles

All subprocessors are required to:

  1. Process data only on our instructions - No independent use of customer data
  2. Implement appropriate security measures - Encryption, access controls, monitoring
  3. Maintain confidentiality - Staff bound by confidentiality agreements
  4. Assist with data subject rights - Support access, deletion, and portability requests
  5. Report breaches promptly - Within 24 hours of discovery
  6. Allow audits - Customer or appointed auditors may review compliance
  7. Delete or return data - Upon termination of services

Special Categories of Data

ZappService does not intentionally process "special categories" of personal data (sensitive data such as health data, biometric data, religious beliefs, etc.) as defined in GDPR Article 9.

If you plan to store special categories of data in ZappService, please contact us at hello@zappservice.com to discuss additional safeguards.

AI Service Specific Protections

For subprocessors providing AI services (Mistral AI, OpenRouter, Google Gemini):

Data Retention

  • Audio files: Deleted within 5 seconds of transcription
  • Transcribed text: Not used for AI model training
  • Query logs: Retained for 30 days for troubleshooting, then deleted

Usage Limits

  • Free Plan: 10 commands/day
  • Starter Plan: 50 commands/day
  • Professional Plan: 200 commands/day
  • Enterprise Plan: Unlimited

Opt-Out

Customers can completely disable AI features in Settings > Privacy > AI Processing.

International Data Transfers

European Union (EU/EEA)

Data processed within the EU/EEA is subject to GDPR protections directly.

United Kingdom

The UK benefits from an adequacy decision, ensuring equivalent data protection standards.

United States

For US-based subprocessors:

  • Standard Contractual Clauses (SCCs) are in place
  • Supplementary measures include encryption and access controls
  • Data localization options available for Enterprise customers

Other Jurisdictions

We do not currently engage subprocessors in other jurisdictions. Any future expansion will be notified per our 30-day change procedure.

Your Rights

Right to Object

You may object to the use of any subprocessor if you have reasonable grounds related to:

  • Data protection compliance concerns
  • Inadequate security measures
  • Location or legal environment risks
  • Subprocessor's compliance history

How to Object:

  1. Email hello@zappservice.com within 30 days of notification
  2. Provide specific reasons for your objection
  3. We will work with you to find an alternative solution or allow service termination without penalty

Right to Audit

Enterprise customers have the right to audit subprocessor compliance:

  • Once annually at ZappService's cost
  • Additional audits at customer's cost
  • Review of existing certifications (ISO 27001, SOC 2) available

Notification of Changes

We maintain this registry and notify customers of changes via:

  1. Email Notification: Sent to account owner and billing contact
  2. Dashboard Alert: In-app notification upon login
  3. This Page: Updated in real-time with change log below

Change Log

| Date | Change Type | Subprocessor | Description | |------|-------------|--------------|-------------| | 2025-01-20 | Initial | All | Initial publication of comprehensive subprocessor registry with realistic startup infrastructure | | 2025-01-20 | Update | OVH SAS | Confirmed as primary infrastructure provider (France) | | 2025-01-20 | Update | Cloudflare | Added R2 file storage details (EU region) | | 2025-01-13 | Addition | Mistral AI | Added for voice transcription services (EU-based) | | 2025-01-13 | Addition | OpenRouter | Added for AI query processing | | 2024-12-01 | Addition | Umami Software | Replaced Google Analytics with privacy-focused alternative |

Questions?

For questions about our subprocessors or data processing practices:

  • Email: hello@zappservice.com
  • Data Protection Officer: hello@zappservice.com
  • Address: Torres Vedras, Portugal

Document Version: 1.0 Effective Date: January 13, 2025 Next Review: April 13, 2025