Sub-processors
The third parties Fidify engages to help deliver the service, with the purpose, data categories, and processing location for each.
About this list
A sub-processor is any third party Fidify engages to help deliver the service on behalf of our customers under GDPR Article 28. Every sub-processor is bound by a written agreement that imposes equivalent data-protection obligations to those in our Data Processing Agreement.
Current sub-processors
Google Ireland Limited (Google Cloud Platform)
- Purpose
- Hosting infrastructure, including compute, storage, database, messaging, encryption-key management, and logging. Also provides AI inference for the AI providers selected by customer policy.
- Data categories
- Customer document content, identifiers, authentication tokens, session data, logs, encryption keys, AI prompts and completions.
- Location
- European Union
- Transfer mechanism
- Intra-EU. No transfer mechanism required.
Google LLC
- Purpose
- Push notification delivery to Android and web users.
- Data categories
- Device registration tokens, user identifiers, notification title and body, event metadata.
- Location
- United States
- Transfer mechanism
- EU Standard Contractual Clauses, plus supplementary safeguards.
Apple Distribution International Ltd
- Purpose
- Push notification delivery to iOS users.
- Data categories
- Device tokens, notification title and body, event metadata.
- Location
- Ireland and United States
- Transfer mechanism
- Intra-EU for the Apple contracting entity. EU Standard Contractual Clauses cover any onward transfer to the United States.
Twilio SendGrid Inc.
- Purpose
- Transactional email delivery, including invitations, document share links, recovery emails, and one-time passcodes.
- Data categories
- Recipient email addresses and names, invitation tokens, portal and organisation names, email body content.
- Location
- United States
- Transfer mechanism
- EU Standard Contractual Clauses, plus supplementary safeguards.
Stripe Payments Europe Ltd
- Purpose
- Payment processing and billing.
- Data categories
- Customer email, billing name, payment-method metadata (last four digits, card brand, expiry; full card number never reaches Fidify), transaction amounts, subscription identifiers.
- Location
- Ireland, with onward processing in the United States for payment-network routing.
- Transfer mechanism
- Intra-EU primary. EU Standard Contractual Clauses for onward transfer to the United States.
Functional Software, Inc. (Sentry)
- Purpose
- Error monitoring across the web portal, services, and mobile applications.
- Data categories
- Stack traces, user identifiers, IP addresses, browser and device fingerprints, application event trails. Personal data is scrubbed before submission.
- Location
- European Union
- Transfer mechanism
- Intra-EU. No transfer mechanism required.
OpenAI Ireland Ltd
- Purpose
- AI inference for risk assessment, compliance narrative generation, and document analysis when a customer's AI policy selects OpenAI as the provider.
- Data categories
- Document text excerpts, policy prompts, extracted compliance fields. Content is not used to train OpenAI models.
- Location
- United States
- Transfer mechanism
- EU Standard Contractual Clauses, plus the OpenAI data-processing agreement.
Anthropic Ireland, Limited
- Purpose
- AI inference when a customer's AI policy selects Anthropic as the provider.
- Data categories
- Document text excerpts, policy prompts, extracted compliance fields. Content is not used to train Anthropic models.
- Location
- United States
- Transfer mechanism
- EU Standard Contractual Clauses, plus the Anthropic data-processing agreement.
Tavily AI Inc.
- Purpose
- Web search context retrieval for AI workflows, including compliance research and entity enrichment.
- Data categories
- Search queries, which may include entity or company names.
- Location
- United States
- Transfer mechanism
- EU Standard Contractual Clauses.
Notification of changes
Before engaging a new sub-processor or replacing an existing one, Fidify notifies customers in line with section 5.2 of our Data Processing Agreement. Customers have fourteen days from notice to object in writing.
Questions
For questions about this list or to request the signed records of processing activities, email dpo@fidify.se.
Related documents
- Data Processing Agreement: full contractual terms governing sub-processor use.
- Technical and Organisational Measures: security controls applied across Fidify and our sub-processors.
- Privacy Policy: how Fidify processes personal data overall.
- Trust and Security: certifications, audits, and controls summary.