Legal

Subprocessors

Last updated: May 13, 2026 · Ethira AB

This page lists all third-party subprocessors that Ethira AB may engage to process personal data on behalf of its customers, in accordance with Article 28 of the GDPR. All data is processed within the European Union or under appropriate safeguards (EU Standard Contractual Clauses). We maintain a contractual Data Processing Agreement with each subprocessor and notify customers of material changes at least 30 days in advance.

Infrastructure & Storage

Amazon Web Services EMEA SARL

Germany (Frankfurt)

Email

Mailjet SAS

France / European Union

Identity & SSO

Google LLC

European Union (EU infrastructure via Google Cloud)

Microsoft Corporation

European Union (Microsoft EU Data Boundary)

Slack Technologies LLC

European Union (Slack EU data residency)

Collaboration

Linear Orbit, Inc.

European Union

Atlassian Pty Ltd

European Union

Vanta, Inc.

European Union

Google LLC (Google Workspace)

European Union (Google Cloud EU infrastructure)

Slack Technologies LLC (messaging)

European Union (Slack EU data residency)

AI & LLM

Requesty AI

Germany (Frankfurt)

OpenAI, LLC

Germany (Frankfurt)

LangChain, Inc. (LangSmith)

European Union (eu.api.smith.langchain.com)

Wordsmith

Per customer configuration

Monitoring & Analytics

Functional Software, Inc. (Sentry)

European Union (Sentry EU region)

PostHog, Inc.

European Union (Frankfurt)

Security

Aikido Security

European Union (Belgium)

Portal & Feedback

Featurebase

European Union

Appendix 2 — Full Subprocessor Details

Complete GDPR Article 28 subprocessor register as required under the Controller–Processor agreement.

Company / organisation	Address	Location of Personal Data	Types of Personal Data	Purpose	Processing time	Additional information
Amazon Web Services EMEA SARL	38 Avenue John F. Kennedy, L-1855 Luxembourg · aws.amazon.com/contact-us	Germany (Frankfurt)	File and document blobs Object metadata Workspace file paths	Cloud object storage for uploaded files, documents, public hosted documents, and import artefacts	Retained for the duration of the account relationship and applicable legal obligations; AWS does not independently retain customer object storage data beyond what Ethira stores.	AWS Data Processing Addendum in place. Data stored exclusively in the Frankfurt (Germany) region. Privacy policy ↗
Mailjet SAS	13–13 bis rue de l'Aubrac, 75012 Paris, France	France / European Union	Email addresses Names (first, last) Email subject and body content	Delivery of transactional emails: workspace invitations, security review notifications, password resets, and system alerts	For the duration of the Ethira–Mailjet agreement; email send logs retained per applicable legal and tax obligations.	Mailjet is an EU-headquartered processor. DPA signed. Data processed within the EU. Privacy policy ↗
Google LLC	1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	European Union (EU infrastructure via Google Cloud)	Email address Sign-in profile (name, picture) Authentication tokens Google Calendar event data Google Drive file metadata and content Google Workspace directory users and audit events	Google sign-in; Google Calendar, Drive, and Workspace Admin integrations for compliance and governance workflows	For the duration of the active Google integration; authentication tokens revocable and deleted at any time via workspace settings.	Google Cloud Data Processing Addendum in place. EU Standard Contractual Clauses (SCCs) apply for transfers. EU Data Processing Addendum available at cloud.google.com/terms/data-processing-addendum. Privacy policy ↗
Microsoft Corporation	One Microsoft Way, Redmond, WA 98052, USA	European Union (Microsoft EU Data Boundary)	Microsoft account identifiers Email address Authentication tokens OneDrive file metadata and content Microsoft Teams channel message content	Microsoft sign-in and Microsoft 365 integration (OneDrive files, Teams notifications)	For the duration of the active Microsoft 365 integration; data removed following revocation of the integration.	Microsoft EU Data Boundary commitment. Data Processing Agreement and SCCs in place via Microsoft Online Services Terms. Privacy policy ↗
Slack Technologies LLC	500 Howard Street, San Francisco, CA 94105, USA (Salesforce subsidiary)	European Union (Slack EU data residency)	Slack user and channel identifiers Email address Message text (outbound notifications) Profile information when using Slack Sign-In	Slack sign-in; Slack workspace integration for alerts, questionnaire notifications, and channel messaging	Retained in accordance with the workspace's configurable Slack retention settings; deletable by the workspace administrator at any time.	Slack EU data residency available. DPA in place. Privacy policy ↗
Linear Orbit, Inc.	340 S Lemon Ave #1039, Walnut, CA 91789, USA	European Union	Issue titles and descriptions Comments Assignee names Authentication tokens	Issue tracking integration for internal team workflows	For the duration of the Linear account; deleted on account closure.	EU-hosted. Data Processing Agreement in place. Privacy policy ↗
Atlassian Pty Ltd	341 George Street, Sydney NSW 2000, Australia	European Union	Jira ticket titles, descriptions, and comments User metadata (name, account ID) Authentication tokens	Jira Cloud integration for issue tracking and project management workflows	For the duration of the Jira subscription; Customer Personal Data deleted following account termination per Atlassian's Data Processing Agreement.	EU data residency enabled. Atlassian Data Processing Agreement in place. Privacy policy ↗
Vanta, Inc.	369 Pine Street, Suite 520, San Francisco, CA 94104, USA	European Union	Vendor inventory metadata Security review records Document URLs API credentials	Compliance platform integration: syncing vendor and security review data between Ethira and Vanta	For the duration of the Vanta integration; deleted upon integration termination and per applicable legal obligations.	EU-hosted. Data Processing Agreement in place. Privacy policy ↗
Google LLC (Google Workspace)	1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	European Union (Google Cloud EU infrastructure)	Employee names and email addresses Document and file content (Docs, Sheets, Drive) Calendar events and meeting metadata Video call metadata (Google Meet)	Internal team collaboration — email, document editing, file storage, calendar, and video conferencing for Ethira staff	For the duration of the employment or contractor relationship; deleted per standard offboarding procedures.	Google Workspace Data Processing Amendment in place. EU data processing addendum available at workspace.google.com/terms/dpa. Privacy policy ↗
Slack Technologies LLC (messaging)	500 Howard Street, San Francisco, CA 94105, USA (Salesforce subsidiary)	European Union (Slack EU data residency)	Employee names and email addresses Direct message and channel message content Shared files and attachments Workspace membership and profile data	Internal team messaging and communication platform for Ethira staff	For the duration of employment; governed by the workspace's configured Slack message and file retention policy.	EU data residency enabled. Slack Data Processing Agreement in place. Privacy policy ↗
Requesty AI	Requesty AI · requesty.ai/contact	Germany (Frankfurt)	AI prompt text (may contain workspace-derived content) AI model responses Request metadata	EU-based AI routing service — forwards AI requests to underlying model providers while keeping data within the EU	Zero data retention — requests and responses are discarded immediately after routing; no data is stored by Requesty.	Data processed in Frankfurt, Germany. Does not leave the EU. Privacy policy ↗
OpenAI, LLC	3180 18th Street, San Francisco, CA 94110, USA	Germany (Frankfurt)	AI prompt text (may include document excerpts and workspace context) AI model responses	Fallback AI provider for AI-assisted features (document analysis, questionnaire autofill, corporate research)	Zero data retention API tier — inputs and responses are not stored by OpenAI.	EU API endpoint used (Frankfurt). OpenAI Data Processing Agreement and SCCs in place. Privacy policy ↗
LangChain, Inc. (LangSmith)	3 East Third Avenue, Suite 200, San Mateo, CA 94401, USA	European Union (eu.api.smith.langchain.com)	AI trace metadata (model used, token counts, response time) AI prompt and response content depending on tracing configuration	AI observability and trace logging for debugging and quality assurance of AI features	Up to 400 days by default (configurable at the project level); traces can be deleted at any time.	EU API endpoint in use. LangChain Data Processing Agreement in place. Privacy policy ↗
Wordsmith	Wordsmith AI · wordsmith.ai/contact	Per customer configuration	Questions and prompts submitted to the assistant File names and types AI assistant responses	Per-workspace AI assistant integration for document Q&A and knowledge management	Zero data retention — prompts and responses are not stored or logged by Wordsmith or its AI providers.	Endpoint and API key are customer-configured per workspace. Ethira acts as conduit; data processing terms are between the customer and Wordsmith. Privacy policy ↗
Functional Software, Inc. (Sentry)	45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	European Union (Sentry EU region)	Exception messages and stack traces Request metadata (page URL, response status) User context at time of error (user identifier, workspace identifier)	Error monitoring, performance tracing, and alerting for the Ethira API and web application	Up to 90 days for error events and session replays; up to 30 days for performance and log data (Sentry Business plan defaults).	Sentry EU data region selected. DPA and SCCs in place. Configured to minimise personal data captured in error reports. Privacy policy ↗
PostHog, Inc.	2261 Market Street #4008, San Francisco, CA 94114, USA	European Union (Frankfurt)	User identifier Event names and timestamps Product analytics event properties Email address and name (sent on login for user-level analytics)	Server-side product analytics to understand feature usage and improve the platform	Session replays: 90 days; analytics event data: up to 7 years; deletable on data subject request.	EU Cloud hosting in Frankfurt. PostHog DPA in place. Privacy policy ↗
Aikido Security	Voorhavenlaan 31, 9000 Ghent, Belgium	European Union (Belgium)	Application request telemetry (page route, response status) Runtime security event metadata	Runtime security firewall — detects and blocks injection attacks and malicious payloads in production	For as long as necessary for security monitoring purposes, per Aikido's data retention policy.	EU-headquartered processor. Data processed within the EU. Active in production environment only. Privacy policy ↗
Featurebase	Featurebase · featurebase.app/contact	European Union	User identifier (derived from workspace user record) Workspace identifier User profile information for portal sign-in	Single sign-on for the Featurebase customer feedback and feature-request portal	Per session; customer content deleted within 90 days after contract termination; operational logs retained up to 12 months; encrypted backups overwritten within 365 days.	EU-hosted. Only user and workspace identifiers are included; no sensitive personal data. Privacy policy ↗

Appendix 2 — Full Subprocessor Details

Complete GDPR Article 28 subprocessor register as required under the Controller–Processor agreement.

Company / organisation	Address	Location of Personal Data	Types of Personal Data	Purpose	Processing time	Additional information
Amazon Web Services EMEA SARL	38 Avenue John F. Kennedy, L-1855 Luxembourg · aws.amazon.com/contact-us	Germany (Frankfurt)	File and document blobs Object metadata Workspace file paths	Cloud object storage for uploaded files, documents, public hosted documents, and import artefacts	Retained for the duration of the account relationship and applicable legal obligations; AWS does not independently retain customer object storage data beyond what Ethira stores.	AWS Data Processing Addendum in place. Data stored exclusively in the Frankfurt (Germany) region. Privacy policy ↗
Mailjet SAS	13–13 bis rue de l'Aubrac, 75012 Paris, France	France / European Union	Email addresses Names (first, last) Email subject and body content	Delivery of transactional emails: workspace invitations, security review notifications, password resets, and system alerts	For the duration of the Ethira–Mailjet agreement; email send logs retained per applicable legal and tax obligations.	Mailjet is an EU-headquartered processor. DPA signed. Data processed within the EU. Privacy policy ↗
Google LLC	1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	European Union (EU infrastructure via Google Cloud)	Email address Sign-in profile (name, picture) Authentication tokens Google Calendar event data Google Drive file metadata and content Google Workspace directory users and audit events	Google sign-in; Google Calendar, Drive, and Workspace Admin integrations for compliance and governance workflows	For the duration of the active Google integration; authentication tokens revocable and deleted at any time via workspace settings.	Google Cloud Data Processing Addendum in place. EU Standard Contractual Clauses (SCCs) apply for transfers. EU Data Processing Addendum available at cloud.google.com/terms/data-processing-addendum. Privacy policy ↗
Microsoft Corporation	One Microsoft Way, Redmond, WA 98052, USA	European Union (Microsoft EU Data Boundary)	Microsoft account identifiers Email address Authentication tokens OneDrive file metadata and content Microsoft Teams channel message content	Microsoft sign-in and Microsoft 365 integration (OneDrive files, Teams notifications)	For the duration of the active Microsoft 365 integration; data removed following revocation of the integration.	Microsoft EU Data Boundary commitment. Data Processing Agreement and SCCs in place via Microsoft Online Services Terms. Privacy policy ↗
Slack Technologies LLC	500 Howard Street, San Francisco, CA 94105, USA (Salesforce subsidiary)	European Union (Slack EU data residency)	Slack user and channel identifiers Email address Message text (outbound notifications) Profile information when using Slack Sign-In	Slack sign-in; Slack workspace integration for alerts, questionnaire notifications, and channel messaging	Retained in accordance with the workspace's configurable Slack retention settings; deletable by the workspace administrator at any time.	Slack EU data residency available. DPA in place. Privacy policy ↗
Linear Orbit, Inc.	340 S Lemon Ave #1039, Walnut, CA 91789, USA	European Union	Issue titles and descriptions Comments Assignee names Authentication tokens	Issue tracking integration for internal team workflows	For the duration of the Linear account; deleted on account closure.	EU-hosted. Data Processing Agreement in place. Privacy policy ↗
Atlassian Pty Ltd	341 George Street, Sydney NSW 2000, Australia	European Union	Jira ticket titles, descriptions, and comments User metadata (name, account ID) Authentication tokens	Jira Cloud integration for issue tracking and project management workflows	For the duration of the Jira subscription; Customer Personal Data deleted following account termination per Atlassian's Data Processing Agreement.	EU data residency enabled. Atlassian Data Processing Agreement in place. Privacy policy ↗
Vanta, Inc.	369 Pine Street, Suite 520, San Francisco, CA 94104, USA	European Union	Vendor inventory metadata Security review records Document URLs API credentials	Compliance platform integration: syncing vendor and security review data between Ethira and Vanta	For the duration of the Vanta integration; deleted upon integration termination and per applicable legal obligations.	EU-hosted. Data Processing Agreement in place. Privacy policy ↗
Google LLC (Google Workspace)	1600 Amphitheatre Parkway, Mountain View, CA 94043, USA	European Union (Google Cloud EU infrastructure)	Employee names and email addresses Document and file content (Docs, Sheets, Drive) Calendar events and meeting metadata Video call metadata (Google Meet)	Internal team collaboration — email, document editing, file storage, calendar, and video conferencing for Ethira staff	For the duration of the employment or contractor relationship; deleted per standard offboarding procedures.	Google Workspace Data Processing Amendment in place. EU data processing addendum available at workspace.google.com/terms/dpa. Privacy policy ↗
Slack Technologies LLC (messaging)	500 Howard Street, San Francisco, CA 94105, USA (Salesforce subsidiary)	European Union (Slack EU data residency)	Employee names and email addresses Direct message and channel message content Shared files and attachments Workspace membership and profile data	Internal team messaging and communication platform for Ethira staff	For the duration of employment; governed by the workspace's configured Slack message and file retention policy.	EU data residency enabled. Slack Data Processing Agreement in place. Privacy policy ↗
Requesty AI	Requesty AI · requesty.ai/contact	Germany (Frankfurt)	AI prompt text (may contain workspace-derived content) AI model responses Request metadata	EU-based AI routing service — forwards AI requests to underlying model providers while keeping data within the EU	Zero data retention — requests and responses are discarded immediately after routing; no data is stored by Requesty.	Data processed in Frankfurt, Germany. Does not leave the EU. Privacy policy ↗
OpenAI, LLC	3180 18th Street, San Francisco, CA 94110, USA	Germany (Frankfurt)	AI prompt text (may include document excerpts and workspace context) AI model responses	Fallback AI provider for AI-assisted features (document analysis, questionnaire autofill, corporate research)	Zero data retention API tier — inputs and responses are not stored by OpenAI.	EU API endpoint used (Frankfurt). OpenAI Data Processing Agreement and SCCs in place. Privacy policy ↗
LangChain, Inc. (LangSmith)	3 East Third Avenue, Suite 200, San Mateo, CA 94401, USA	European Union (eu.api.smith.langchain.com)	AI trace metadata (model used, token counts, response time) AI prompt and response content depending on tracing configuration	AI observability and trace logging for debugging and quality assurance of AI features	Up to 400 days by default (configurable at the project level); traces can be deleted at any time.	EU API endpoint in use. LangChain Data Processing Agreement in place. Privacy policy ↗
Wordsmith	Wordsmith AI · wordsmith.ai/contact	Per customer configuration	Questions and prompts submitted to the assistant File names and types AI assistant responses	Per-workspace AI assistant integration for document Q&A and knowledge management	Zero data retention — prompts and responses are not stored or logged by Wordsmith or its AI providers.	Endpoint and API key are customer-configured per workspace. Ethira acts as conduit; data processing terms are between the customer and Wordsmith. Privacy policy ↗
Functional Software, Inc. (Sentry)	45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA	European Union (Sentry EU region)	Exception messages and stack traces Request metadata (page URL, response status) User context at time of error (user identifier, workspace identifier)	Error monitoring, performance tracing, and alerting for the Ethira API and web application	Up to 90 days for error events and session replays; up to 30 days for performance and log data (Sentry Business plan defaults).	Sentry EU data region selected. DPA and SCCs in place. Configured to minimise personal data captured in error reports. Privacy policy ↗
PostHog, Inc.	2261 Market Street #4008, San Francisco, CA 94114, USA	European Union (Frankfurt)	User identifier Event names and timestamps Product analytics event properties Email address and name (sent on login for user-level analytics)	Server-side product analytics to understand feature usage and improve the platform	Session replays: 90 days; analytics event data: up to 7 years; deletable on data subject request.	EU Cloud hosting in Frankfurt. PostHog DPA in place. Privacy policy ↗
Aikido Security	Voorhavenlaan 31, 9000 Ghent, Belgium	European Union (Belgium)	Application request telemetry (page route, response status) Runtime security event metadata	Runtime security firewall — detects and blocks injection attacks and malicious payloads in production	For as long as necessary for security monitoring purposes, per Aikido's data retention policy.	EU-headquartered processor. Data processed within the EU. Active in production environment only. Privacy policy ↗
Featurebase	Featurebase · featurebase.app/contact	European Union	User identifier (derived from workspace user record) Workspace identifier User profile information for portal sign-in	Single sign-on for the Featurebase customer feedback and feature-request portal	Per session; customer content deleted within 90 days after contract termination; operational logs retained up to 12 months; encrypted backups overwritten within 365 days.	EU-hosted. Only user and workspace identifiers are included; no sensitive personal data. Privacy policy ↗