Sub-processors
Last updated: April 19, 2026 · Effective immediately
1. Purpose
This page lists the third parties that may process personal data on behalf of Cuttalo srl in the course of operating DepScope, pursuant to art. 28 GDPR. Adequate contractual safeguards (DPAs, SCCs) are in place with each. The list is kept current as the set changes.
2. Current sub-processors
| Provider | Purpose | Data | Location | Safeguards |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing, subscription billing | Email, Stripe customer ID, billing address, VAT ID, card metadata | Ireland (EU) + US affiliates | EU–US DPF + SCC 2021/914 Module 2 |
| Cloudflare, Inc. | CDN, DDoS mitigation, DNS, bot management | IP address, HTTP metadata, User-Agent | US (HQ); EU PoPs for traffic | EU–US DPF + SCC 2021/914 Module 2 |
| OVHcloud (OVH SAS) | Off-site encrypted backups (S3-compatible object storage) | Encrypted backup archives containing account, usage, and billing data | France (EU) | EU-based; encryption at rest |
| Self-hosted SMTP (Cuttalo infrastructure) | Transactional email (magic-link, receipts, alerts) | Email address, message content | EU (Cuttalo own infrastructure) | Operated directly by Cuttalo srl |
3. Change notifications
Enterprise customers with a signed DPA receive at least 30 days' advance notice before adding or replacing a sub-processor. To subscribe to change notifications, email [email protected]. You may object to a new sub-processor for reasonable data-protection grounds; if a workable alternative is not possible, you may terminate the affected service.
4. DPA
A Data Processing Addendum is available to Pro and Team customers on request at [email protected].