List of sub-processors
This annex lists all sub-processors authorised by Actuals Oy (Commslayer) to process Personal Data on behalf of the Controller. The Controller authorises the engagement of these sub-processors, subject to the conditions set out in Section 7 of the Data Processing Agreement. Changes to this list will be communicated to the Controller at least thirty (30) days in advance via email, during which time the Controller may object on reasonable data protection grounds.
Subprocessor
Legal Entity
Registration Number
Registered Address
Country
Processing Location
Purpose of Processing
Categories of Personal Data
Types of Data Subjects
Security Certifications
Transfer Mechanism
DPA/Privacy Documentation
Google Cloud Platform
Google Ireland Limited
IE 368047
Gordon House, Barrow Street, Dublin 4, Ireland
Ireland (EU)
United States (us-central1, us-west1) and other non-EU regions
Cloud-based services for application functionality and data processing
Customer messages, contact information, order details, and related business data processed through cloud services
End customers of Commslayer merchants, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, SOC 3
Standard Contractual Clauses (SCCs) - Incorporated by reference in Google Cloud Data Processing Addendum, which forms part of Cloud Terms of Service
Hetzner Online GmbH
Hetzner Online GmbH
HRB 85845
Industriestrasse 25, 91710 Gunzenhausen, Germany
Germany (EU)
Germany (Falkenstein, Nuremberg, Helsinki)
Primary hosting infrastructure for application servers, databases, and file storage
All data categories: customer contact details, messages, order information, authentication data, system logs
All: merchants (Commslayer users), end customers, support agents
ISO/IEC 27001
EU-based processing (no transfer outside EU/EEA)
Amazon Web Services
Amazon Web Services EMEA SARL
B186284
38 Avenue John F. Kennedy, L-1855 Luxembourg
Luxembourg (EU)
European Union (eu-central-1, eu-west-1)
Secondary hosting, CDN, and infrastructure services
Same as Hetzner (backup and redundancy)
All: merchants, end customers, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1
EU-based processing (adequacy maintained within EU)
Postmark
Wildbit, LLC
Delaware LLC
225 Chestnut Street, Philadelphia, PA 19106, USA
United States
United States
Transactional email delivery (notifications, agent alerts, system emails)
Email addresses, customer names, email content, delivery logs
Merchants, support agents, end customers
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Execute via postmarkapp.com/dpa
PostHog Cloud
PostHog Inc.
Delaware C-Corp
2261 Market Street, San Francisco, CA 94114, USA
United States
United States (us-east-1)
Product analytics, user behavior tracking, feature usage monitoring
User email addresses, account IDs, anonymized usage patterns, feature interactions (no message content)
Merchants (Commslayer users)
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Contact PostHog support to execute
Sentry
Functional Software, Inc.
Delaware C-Corp
45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
United States
United States
Error monitoring, crash reporting, performance monitoring
Error logs, stack traces, potentially email addresses or usernames in error context (PII scrubbing configured)
Merchants, support agents
SOC 2 Type II, ISO 27001
Standard Contractual Clauses (SCCs) - Execute via sentry.io/legal/dpa/
Shopify
Shopify International Limited (EU merchants) / Shopify Inc. (non-EU)
Ireland: 510177 / Canada: Corporation #1187946
Victoria House, 1-2 Victoria Road, Dublin 6, Ireland / 151 O'Connor Street, Ottawa, ON K2P 2L8, Canada
Ireland (EU) / Canada
Data originates from and remains on Shopify infrastructure (multi-region)
Source platform - API access to retrieve merchant store data, customer information, orders, and products for helpdesk functionality
All merchant and customer data accessed via API: names, emails, phone numbers, addresses, order history, product data, customer service interactions
Merchants (Commslayer users), their end customers
ISO/IEC 27001, SOC 2 Type II, PCI DSS Level 1
EU Adequacy Decision (Ireland) / Adequacy decision under EU-UK Trade Agreement / SCCs (Canada)
Subprocessor
Legal Entity
Registration Number
Registered Address
Country
Processing Location
Purpose of Processing
Categories of Personal Data
Types of Data Subjects
Security Certifications
Transfer Mechanism
DPA/Privacy Documentation
Google Cloud Platform
Google Ireland Limited
IE 368047
Gordon House, Barrow Street, Dublin 4, Ireland
Ireland (EU)
United States (us-central1, us-west1) and other non-EU regions
Cloud-based services for application functionality and data processing
Customer messages, contact information, order details, and related business data processed through cloud services
End customers of Commslayer merchants, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, SOC 3
Standard Contractual Clauses (SCCs) - Incorporated by reference in Google Cloud Data Processing Addendum, which forms part of Cloud Terms of Service
Hetzner Online GmbH
Hetzner Online GmbH
HRB 85845
Industriestrasse 25, 91710 Gunzenhausen, Germany
Germany (EU)
Germany (Falkenstein, Nuremberg, Helsinki)
Primary hosting infrastructure for application servers, databases, and file storage
All data categories: customer contact details, messages, order information, authentication data, system logs
All: merchants (Commslayer users), end customers, support agents
ISO/IEC 27001
EU-based processing (no transfer outside EU/EEA)
Amazon Web Services
Amazon Web Services EMEA SARL
B186284
38 Avenue John F. Kennedy, L-1855 Luxembourg
Luxembourg (EU)
European Union (eu-central-1, eu-west-1)
Secondary hosting, CDN, and infrastructure services
Same as Hetzner (backup and redundancy)
All: merchants, end customers, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1
EU-based processing (adequacy maintained within EU)
Postmark
Wildbit, LLC
Delaware LLC
225 Chestnut Street, Philadelphia, PA 19106, USA
United States
United States
Transactional email delivery (notifications, agent alerts, system emails)
Email addresses, customer names, email content, delivery logs
Merchants, support agents, end customers
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Execute via postmarkapp.com/dpa
PostHog Cloud
PostHog Inc.
Delaware C-Corp
2261 Market Street, San Francisco, CA 94114, USA
United States
United States (us-east-1)
Product analytics, user behavior tracking, feature usage monitoring
User email addresses, account IDs, anonymized usage patterns, feature interactions (no message content)
Merchants (Commslayer users)
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Contact PostHog support to execute
Sentry
Functional Software, Inc.
Delaware C-Corp
45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
United States
United States
Error monitoring, crash reporting, performance monitoring
Error logs, stack traces, potentially email addresses or usernames in error context (PII scrubbing configured)
Merchants, support agents
SOC 2 Type II, ISO 27001
Standard Contractual Clauses (SCCs) - Execute via sentry.io/legal/dpa/
Shopify
Shopify International Limited (EU merchants) / Shopify Inc. (non-EU)
Ireland: 510177 / Canada: Corporation #1187946
Victoria House, 1-2 Victoria Road, Dublin 6, Ireland / 151 O'Connor Street, Ottawa, ON K2P 2L8, Canada
Ireland (EU) / Canada
Data originates from and remains on Shopify infrastructure (multi-region)
Source platform - API access to retrieve merchant store data, customer information, orders, and products for helpdesk functionality
All merchant and customer data accessed via API: names, emails, phone numbers, addresses, order history, product data, customer service interactions
Merchants (Commslayer users), their end customers
ISO/IEC 27001, SOC 2 Type II, PCI DSS Level 1
EU Adequacy Decision (Ireland) / Adequacy decision under EU-UK Trade Agreement / SCCs (Canada)
Subprocessor
Legal Entity
Registration Number
Registered Address
Country
Processing Location
Purpose of Processing
Categories of Personal Data
Types of Data Subjects
Security Certifications
Transfer Mechanism
DPA/Privacy Documentation
Google Cloud Platform
Google Ireland Limited
IE 368047
Gordon House, Barrow Street, Dublin 4, Ireland
Ireland (EU)
United States (us-central1, us-west1) and other non-EU regions
Cloud-based services for application functionality and data processing
Customer messages, contact information, order details, and related business data processed through cloud services
End customers of Commslayer merchants, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, SOC 3
Standard Contractual Clauses (SCCs) - Incorporated by reference in Google Cloud Data Processing Addendum, which forms part of Cloud Terms of Service
Hetzner Online GmbH
Hetzner Online GmbH
HRB 85845
Industriestrasse 25, 91710 Gunzenhausen, Germany
Germany (EU)
Germany (Falkenstein, Nuremberg, Helsinki)
Primary hosting infrastructure for application servers, databases, and file storage
All data categories: customer contact details, messages, order information, authentication data, system logs
All: merchants (Commslayer users), end customers, support agents
ISO/IEC 27001
EU-based processing (no transfer outside EU/EEA)
Amazon Web Services
Amazon Web Services EMEA SARL
B186284
38 Avenue John F. Kennedy, L-1855 Luxembourg
Luxembourg (EU)
European Union (eu-central-1, eu-west-1)
Secondary hosting, CDN, and infrastructure services
Same as Hetzner (backup and redundancy)
All: merchants, end customers, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1
EU-based processing (adequacy maintained within EU)
Postmark
Wildbit, LLC
Delaware LLC
225 Chestnut Street, Philadelphia, PA 19106, USA
United States
United States
Transactional email delivery (notifications, agent alerts, system emails)
Email addresses, customer names, email content, delivery logs
Merchants, support agents, end customers
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Execute via postmarkapp.com/dpa
PostHog Cloud
PostHog Inc.
Delaware C-Corp
2261 Market Street, San Francisco, CA 94114, USA
United States
United States (us-east-1)
Product analytics, user behavior tracking, feature usage monitoring
User email addresses, account IDs, anonymized usage patterns, feature interactions (no message content)
Merchants (Commslayer users)
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Contact PostHog support to execute
Sentry
Functional Software, Inc.
Delaware C-Corp
45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
United States
United States
Error monitoring, crash reporting, performance monitoring
Error logs, stack traces, potentially email addresses or usernames in error context (PII scrubbing configured)
Merchants, support agents
SOC 2 Type II, ISO 27001
Standard Contractual Clauses (SCCs) - Execute via sentry.io/legal/dpa/
Shopify
Shopify International Limited (EU merchants) / Shopify Inc. (non-EU)
Ireland: 510177 / Canada: Corporation #1187946
Victoria House, 1-2 Victoria Road, Dublin 6, Ireland / 151 O'Connor Street, Ottawa, ON K2P 2L8, Canada
Ireland (EU) / Canada
Data originates from and remains on Shopify infrastructure (multi-region)
Source platform - API access to retrieve merchant store data, customer information, orders, and products for helpdesk functionality
All merchant and customer data accessed via API: names, emails, phone numbers, addresses, order history, product data, customer service interactions
Merchants (Commslayer users), their end customers
ISO/IEC 27001, SOC 2 Type II, PCI DSS Level 1
EU Adequacy Decision (Ireland) / Adequacy decision under EU-UK Trade Agreement / SCCs (Canada)
Subprocessor
Legal Entity
Registration Number
Registered Address
Country
Processing Location
Purpose of Processing
Categories of Personal Data
Types of Data Subjects
Security Certifications
Transfer Mechanism
DPA/Privacy Documentation
Google Cloud Platform
Google Ireland Limited
IE 368047
Gordon House, Barrow Street, Dublin 4, Ireland
Ireland (EU)
United States (us-central1, us-west1) and other non-EU regions
Cloud-based services for application functionality and data processing
Customer messages, contact information, order details, and related business data processed through cloud services
End customers of Commslayer merchants, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, SOC 3
Standard Contractual Clauses (SCCs) - Incorporated by reference in Google Cloud Data Processing Addendum, which forms part of Cloud Terms of Service
Hetzner Online GmbH
Hetzner Online GmbH
HRB 85845
Industriestrasse 25, 91710 Gunzenhausen, Germany
Germany (EU)
Germany (Falkenstein, Nuremberg, Helsinki)
Primary hosting infrastructure for application servers, databases, and file storage
All data categories: customer contact details, messages, order information, authentication data, system logs
All: merchants (Commslayer users), end customers, support agents
ISO/IEC 27001
EU-based processing (no transfer outside EU/EEA)
Amazon Web Services
Amazon Web Services EMEA SARL
B186284
38 Avenue John F. Kennedy, L-1855 Luxembourg
Luxembourg (EU)
European Union (eu-central-1, eu-west-1)
Secondary hosting, CDN, and infrastructure services
Same as Hetzner (backup and redundancy)
All: merchants, end customers, support agents
ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1
EU-based processing (adequacy maintained within EU)
Postmark
Wildbit, LLC
Delaware LLC
225 Chestnut Street, Philadelphia, PA 19106, USA
United States
United States
Transactional email delivery (notifications, agent alerts, system emails)
Email addresses, customer names, email content, delivery logs
Merchants, support agents, end customers
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Execute via postmarkapp.com/dpa
PostHog Cloud
PostHog Inc.
Delaware C-Corp
2261 Market Street, San Francisco, CA 94114, USA
United States
United States (us-east-1)
Product analytics, user behavior tracking, feature usage monitoring
User email addresses, account IDs, anonymized usage patterns, feature interactions (no message content)
Merchants (Commslayer users)
SOC 2 Type II
Standard Contractual Clauses (SCCs) - Contact PostHog support to execute
Sentry
Functional Software, Inc.
Delaware C-Corp
45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA
United States
United States
Error monitoring, crash reporting, performance monitoring
Error logs, stack traces, potentially email addresses or usernames in error context (PII scrubbing configured)
Merchants, support agents
SOC 2 Type II, ISO 27001
Standard Contractual Clauses (SCCs) - Execute via sentry.io/legal/dpa/
Shopify
Shopify International Limited (EU merchants) / Shopify Inc. (non-EU)
Ireland: 510177 / Canada: Corporation #1187946
Victoria House, 1-2 Victoria Road, Dublin 6, Ireland / 151 O'Connor Street, Ottawa, ON K2P 2L8, Canada
Ireland (EU) / Canada
Data originates from and remains on Shopify infrastructure (multi-region)
Source platform - API access to retrieve merchant store data, customer information, orders, and products for helpdesk functionality
All merchant and customer data accessed via API: names, emails, phone numbers, addresses, order history, product data, customer service interactions
Merchants (Commslayer users), their end customers
ISO/IEC 27001, SOC 2 Type II, PCI DSS Level 1
EU Adequacy Decision (Ireland) / Adequacy decision under EU-UK Trade Agreement / SCCs (Canada)
