Subprocessors
Open Social engages a limited number of carefully selected subprocessors to support the delivery, security and operation of our Services.
Each subprocessor is contractually required to implement appropriate technical and organisational measures and may process Customer Data only on behalf of Open Social and in accordance with our instructions. Where Personal Data is transferred outside the European Economic Area (EEA), Open Social ensures that an appropriate transfer mechanism under Chapter V GDPR is in place.
This page is maintained in accordance with Article 6 (Involvement of Subprocessors) and, where applicable, Article 7 (AI Processing and Service Providers) of our Data Processing Agreement (DPA).
Version: 1.0
Effective date: 1 August 2026
Last updated: 1 August 2026
⸻
🇪🇺 Our approach to European Digital Sovereignty
Where a customer selects an EU/EEA deployment, Open Social ensures that the primary storage and routine processing of Customer Data remains within the European Economic Area (EEA), except where limited cross-border transfers are necessary for essential service functionality and are protected by appropriate safeguards under applicable data protection law.
⸻
🏗️ Core Platform Services
The following subprocessors are used to provide the core Open Social platform.
🇪🇺 Platform.sh (Upsun)
Availability
Included in all deployments.
Purpose
Managed cloud hosting and infrastructure services for the operation of the Open Social platform.
Processing location
Customer-selected deployment (EEA or United States).
Provider jurisdiction
France (EU) or, where selected by the Controller, the United States.
Transfer mechanism
No Chapter V transfer applies for EEA deployments. Where the Controller selects a United States deployment, Platform.sh relies on the EU-US Data Privacy Framework where certified.
⸻
🌍 Cloudflare (planned removal by 31 August 2026)
Availability
Legacy deployments only.
Purpose
Content Delivery Network (CDN).
Processing location
Multiple jurisdictions (EU Data Localization Suite available).
Provider jurisdiction
United States.
Transfer mechanism
EU-US Data Privacy Framework where certified.
⸻
🇪🇺 Bunny.net
Availability
Included in all new deployments.
Purpose
Content Delivery Network (CDN), Web Application Firewall (WAF) and DDoS protection.
Processing location
European Economic Area.
Provider jurisdiction
Slovenia (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🇪🇺 Hetzner
Availability
Included in all deployments.
Purpose
Encrypted backup storage.
Processing location
Germany.
Provider jurisdiction
Germany (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🌍 SendGrid (planned removal by 31 October 2026)
Availability
Legacy deployments only.
Purpose
Delivery of transactional emails generated by the Services.
Processing location
Customer-selected (EU or United States).
Provider jurisdiction
United States.
Transfer mechanism
EU-US Data Privacy Framework where certified.
⸻
🇪🇺 AhaSend
Availability
Included in all new deployments.
Purpose
Delivery of transactional emails generated by the Services, including password resets, invitations, account notifications and other system communications.
Processing location
Germany and Finland.
Provider jurisdiction
The Netherlands (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🇪🇺 Elastic Cloud
Availability
Included in all deployments.
Purpose
Operational logging, monitoring and troubleshooting. Personal Data is processed only to the extent contained in application logs, diagnostic information and security events generated during the operation of the Services.
Processing location
Ireland.
Provider jurisdiction
The Netherlands (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🌍 Freshworks (Freshdesk)
Availability
Included with Open Social Support.
Purpose
Customer support and incident resolution. Personal Data is processed only where included in support requests or where required to investigate reported issues.
Processing location
European Economic Area (AWS).
Provider jurisdiction
United States.
Transfer mechanism
EU-US Data Privacy Framework where certified.
⸻
🤖 Optional AI Services
These subprocessors are only used when the Controller enables Gaia AI.
🇪🇺 Mistral AI
Availability
Optional.
Purpose
AI inference for Gaia AI functionality.
Customer Data is processed solely to provide the requested AI functionality. Customer Data, prompts, outputs and embeddings are not used for model training, model improvement or independent commercial purposes.
Processing location
Sweden and the Netherlands.
Provider jurisdiction
France (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🔌 Optional Features & Integrations
These subprocessors are only used when the Controller enables the relevant functionality.
🌍 Mux Video
Availability
Optional.
Purpose
Video hosting, streaming and media processing.
Processing location
AWS Frankfurt (Germany) using Mux’s EU data pseudonymisation offering.
Provider jurisdiction
United States.
Transfer mechanism
European Commission Standard Contractual Clauses together with a Data Transfer Impact Assessment.
⸻
🌍 CleanTalk
Availability
Optional.
Purpose
Spam prevention and automated content moderation.
Processing location
Customer-selected (EU or United States).
Provider jurisdiction
United States.
Transfer mechanism
European Commission Standard Contractual Clauses together with a Data Transfer Impact Assessment.
⸻
🇪🇺 OVHcloud (Document Collaboration)
Availability
Optional.
Purpose
Document collaboration and online document editing.
Processing location
France.
Provider jurisdiction
France (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🌍 Cloud Messaging
Availability
Optional.
Purpose
Push notification delivery for Android devices.
Open Social supports a configuration in which push notification payloads contain only technical metadata and do not include Personal Data or user-generated content.
Processing location
Multiple Google-managed regions.
Provider jurisdiction
United States.
Transfer mechanism
European Commission Standard Contractual Clauses together with a Data Transfer Impact Assessment.
⸻
🇪🇺 OVHcloud (Kafka for Lumina Insights)
Availability
Optional.
Purpose
Hosting of Kafka infrastructure supporting event processing for Lumina Insights.
Processing location
France.
Provider jurisdiction
France (EU).
Transfer mechanism
No Chapter V transfer.
⸻
🌍 Convoy
Availability
Optional.
Purpose
Delivery of outbound webhooks and event notifications to Controller-configured third-party systems.
Personal Data is processed only where included in webhook payloads configured by the Controller.
Processing location
European Economic Area.
Provider jurisdiction
United States.
Transfer mechanism
European Commission Standard Contractual Clauses together with a Data Transfer Impact Assessment.
⸻
🌍 International Data Transfers
Where a subprocessor processes Personal Data outside the EEA, or is established outside the EEA, Open Social ensures that an appropriate transfer mechanism under Chapter V GDPR is in place.
Depending on the provider, this may include:
- An adequacy decision adopted by the European Commission;
- The EU-US Data Privacy Framework (where applicable);
- The European Commission’s Standard Contractual Clauses together with supplementary measures, including a Data Transfer Impact Assessment where required.
If a transfer mechanism relied upon by Open Social ceases to provide a lawful basis for international transfers, Open Social will implement an appropriate alternative transfer mechanism without undue delay, in accordance with its Data Processing Agreement.
⸻
🔄 Updates
Open Social may update this list from time to time in accordance with Article 6 of the Data Processing Agreement.
Customers with an active Data Processing Agreement will be notified of additions or replacements of subprocessors in accordance with the notification procedure described in the DPA.
⸻
📬 Questions
If you have any questions about our subprocessors, international data transfers or privacy practices, please contact us at: