All third-party processors engaged by ExactFlow p.s.a. to process personal data on behalf of Platform Clients
Effective Date: 1 April 2026 | Version 1.0 | Review Cycle: Quarterly | Governing Instrument: GDPR Article 28(2)–(4)
| Data Controller | ExactFlow p.s.a. — acting as Data Processor for Platform Clients |
|---|---|
| Purpose of this List | GDPR Article 28(2) requires ExactFlow to inform Clients of sub-processors and obtain general or specific Client consent before engaging new sub-processors |
| Consent Model | General prior authorisation — Clients consent to sub-processors listed here at contract inception. Clients will receive 30 days' advance notice of new or changed sub-processors and may object per Section 4 |
| Data Contact | privacy@exactflow.com |
| DPA Reference | ExactFlow Data Processing Agreement, Annex 3 |
This list reflects sub-processors engaged by ExactFlow as of the Effective Date above. ExactFlow reviews this list quarterly. Clients subscribed to sub-processor change notifications will receive email alerts automatically. All sub-processors are bound by Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) where required for international transfers.
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| EU-based Cloud Provider (Tier 1) | Primary cloud infrastructure — compute, storage, databases, networking for all Platform services | All personal data categories hosted on the Platform | EU / EEA (Poland / Germany) | EEA — no transfer | ISO 27001; SOC 2 Type II; PCI-DSS |
| Content Delivery Network (CDN) | Global content delivery for static assets and media | Anonymised request metadata, IP addresses (transient) | EU PoPs primary; global edge nodes | SCCs (EU–US) | ISO 27001 |
| Backup and Disaster Recovery Provider | Encrypted data backup and geo-redundant replication | All Platform data categories (encrypted at rest) | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| Primary Payment Gateway | Card payment authorisation, 3DS authentication, transaction processing | Payment method type, tokenized card references, billing address, transaction amount and reference | EU / EEA | EEA — no transfer | PCI-DSS Level 1; ISO 27001 |
| Alternative Payment Methods Provider | Processing of BLIK, bank transfer, and local EU payment methods | Payment method identifiers, bank references, transaction data | EU / EEA | EEA — no transfer | PCI-DSS; applicable national payment regulation |
| Escrow Services Provider | Holding Transaction funds pending delivery confirmation and withdrawal period expiry | Transaction identifiers, seller and buyer account references, amounts | EU / EEA | EEA — no transfer | ISO 27001; regulated payment institution |
| Fraud Scoring Service | Real-time transaction risk assessment and fraud signal analysis | IP address, device fingerprint, transaction velocity signals, pseudonymized user identifier | EU / EEA + US | SCCs (EU–US); adequacy where applicable | SOC 2 Type II; PCI-DSS |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| Transactional Email Provider | Sending order confirmations, system notifications, account alerts, password resets | Email address, name, message content, delivery metadata | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II |
| Marketing Email Platform | Sending opt-in marketing communications and newsletters (consent-gated only) | Email address, name, consent preferences, campaign interaction data | EU / EEA | EEA — no transfer | ISO 27001; GDPR-compliant DPA |
| Help Desk / Support Platform | Managing customer support tickets, chat, and knowledge base | Name, email, support ticket content, account identifiers | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II |
| SMS / Notification Provider | Sending SMS order updates and two-factor authentication codes | Mobile telephone number, message content (OTP codes) | EU / EEA | EEA — no transfer | ISO 27001 |
| Video Conferencing (Client Success) | Onboarding calls, training sessions, support screen-shares with Client teams | Name, email, video/audio session data (not recorded without consent) | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| Web Analytics Platform | Anonymized website and Platform usage analytics (consent-gated for non-essential cookies) | Anonymized/pseudonymized behavioural and technical data; IP addresses anonymized within 24h | EU / EEA | EEA — no transfer | ISO 27001; GDPR Mode enabled |
| Application Performance Monitoring | Real-time Platform uptime, error rate, and latency monitoring | Anonymized request metadata, error logs (no personal data in standard configuration) | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II |
| Security Information & Event Management (SIEM) | 24/7 security monitoring, anomaly detection, audit log management | Access logs, IP addresses, session identifiers, security event data | EU / EEA | EEA — no transfer | ISO 27001 |
| A/B Testing and Feature Flagging | Controlled rollout of new features and UX experiments (consent-gated) | Pseudonymized user identifiers, feature interaction data | EU / EEA | EEA — no transfer | GDPR-compliant DPA |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| KYB / Business Verification Provider | Know Your Business verification for Seller onboarding — company registration, director identity, AML screening | Business name, registration number, director names, beneficial ownership data, sanctions screening data | EU / EEA | EEA — no transfer | ISO 27001; AML Act compliance; regulated entity |
| Sanctions and PEP Screening | Ongoing screening of Sellers and Buyers against EU, UN, OFAC sanctions lists and PEP databases | Business identity, director names, jurisdictions | EU / EEA + US | SCCs (EU–US) | ISO 27001; regulated compliance service |
| Electronic Signature Provider | Digital signing of Platform agreements and DPAs by Client administrators | Name, email address, signature metadata, IP address, timestamp | EU / EEA | EEA — no transfer | eIDAS compliant; ISO 27001 |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| Logistics and Carrier API Aggregator | Integration layer connecting Platform to shipping carriers for label generation and tracking | Recipient name, delivery address, Order reference, package details | EU / EEA | EEA — no transfer | ISO 27001 |
| Third-Party Marketplace Connectors (Amazon, eBay, Allegro, Shopify, etc.) | API integrations enabling Clients to sync inventory, orders, and listings across sales channels | Product data, Order data, account credentials (encrypted) | Varies by platform — EU and non-EU | SCCs where non-EEA | Per platform certification |
| ERP / Warehouse Management Integration Middleware | Middleware enabling Clients to connect own ERP or WMS systems to ExactFlow | Inventory, Order, and supplier data as configured by Client | EU / EEA (middleware layer) | EEA — no transfer | ISO 27001 |
| Sub-Processor | Service Provided | Data Categories Processed | Processing Location | Transfer Mechanism | Certifications |
|---|---|---|---|---|---|
| AI Model Inference Provider | Hosting and serving the underlying language model inference for ExactFlow's AI Agents | Pseudonymized query data and context passed to model for inference; no persistent storage of personal data by inference layer | EU / EEA | EEA — no transfer | ISO 27001; SOC 2 Type II; EU AI Act compliance documentation maintained |
| AI Training Data Infrastructure | Secure storage and processing environment for ExactFlow AI model training and fine-tuning (no personal data from production) | Anonymized and synthetic training datasets only — no production personal data | EU / EEA | EEA — no transfer | ISO 27001 |
ExactFlow will notify Clients of any intended addition or replacement of a sub-processor by:
Clients who have a legitimate data protection objection to a new or changed sub-processor may notify ExactFlow in writing at privacy@exactflow.com within 14 calendar days of the notification. ExactFlow will work with the Client to resolve the objection. If the objection cannot be resolved, either party may terminate the affected services with 30 days' written notice without penalty.
All sub-processors listed in this document have been assessed by ExactFlow's Data Protection Officer and are bound by GDPR Article 28-compliant Data Processing Agreements incorporating Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where required for international transfers. Transfer Impact Assessments (TIAs) are maintained for all non-EEA transfers.
— END OF SUBPROCESSOR LIST — EXACTFLOW P.S.A. —