Subprocessor List
Product: Exceptao / paraKSCol / Cyberzgodnošć EDU · Last updated: 2026-05-15
Controller entity: METAMORFOZIS GLETSCHMANN SP. J. · KRS 0001193277 · imprint
Change notification: Tenants are notified at least 30 calendar days before any addition or replacement of a subprocessor, by email to the Tenant Admin’s registered address and by update of this page, pursuant to GDPR Art. 28(2) and DPA §6.
This list covers all third-party services to which personal data originating from Tenant accounts may be transmitted in the course of providing the Service. Self-hosted components that are not third-party subprocessors are described separately below.
The Operator does not sell, share, or otherwise make available Tenant personal data to any third party for that third party’s own commercial purposes.
Active subprocessors
1. Cloudflare, Inc.
| Field | Detail |
|---|
| Registered address | 101 Townsend St, San Francisco, CA 94107, USA |
| Purpose | (a) Content Delivery Network (CDN) and Web Application Firewall (WAF): all inbound HTTP/S requests to the Service pass through Cloudflare’s global edge network, which applies DDoS protection, bot management, and WAF rules before forwarding to the origin VPS. (b) Cloudflare Tunnel (cloudflared): the Operator’s VPS connects outbound to Cloudflare via an encrypted mTLS tunnel; Cloudflare proxies all inbound traffic through this tunnel — the VPS has no public inbound ports. (c) Cloudflare R2 object storage: evidence files uploaded by Tenants, and encrypted database backup archives, are stored in R2. |
| Data transmitted | (CDN/WAF/Tunnel) IP addresses and request headers of all inbound HTTP/S requests are visible to Cloudflare edge nodes. (R2) GPG-encrypted database backup archives and evidence files are stored in R2. Client-side encryption is applied to sensitive evidence files before upload, so Cloudflare receives ciphertext only for those files. |
| Data region / jurisdiction | R2 bucket jurisdiction: EU (set at bucket creation; object data does not leave the EU). CDN/WAF edge: global — IP addresses and request headers transit Cloudflare’s global edge infrastructure but are subject to Cloudflare’s standard log retention policy (typically 24–72 hours for raw logs). |
| Personal data categories | IP addresses and user-agent strings (CDN/WAF); encrypted evidence file contents (R2); encrypted backup archives (R2). |
| Security posture | ISO 27001 certified; SOC 2 Type II audited; PCI DSS Level 1 service provider. Cloudflare’s DPA accepted. R2 data encrypted at rest (AES-256) by Cloudflare; client-side encryption layered on top for sensitive evidence files. |
| Transfer mechanism | Cloudflare Data Processing Addendum accepted. Standard Contractual Clauses (SCCs — Module 2, Controller to Processor) in place. Transfer Impact Assessment completed. |
| Website | cloudflare.com |
| Activated | Yes — active from initial service launch. |
2. Backblaze, Inc.
| Field | Detail |
|---|
| Registered address | 500 Ben Franklin Ct, San Mateo, CA 94401, USA |
| Purpose | Secondary encrypted backup storage, as the second provider in the Operator’s 3-2-1 backup policy. Cloudflare R2 is the primary backup storage; Backblaze B2 is the secondary (off-site, different provider). This dual-provider arrangement ensures backup availability even if one provider experiences an outage or account suspension. |
| Data transmitted | GPG-encrypted (AES-256 equivalent) archive files of the Postgres database. The encryption is applied on the Operator’s VPS before transmission to Backblaze. Backblaze receives only ciphertext. The GPG private key is stored off-VPS and is not accessible to Backblaze at any time. Backblaze cannot decrypt the data it stores. |
| Data region / jurisdiction | EU — Backblaze EU region (Amsterdam, Netherlands). Backup archives are stored exclusively in the Amsterdam region and do not leave the EU/EEA. |
| Personal data categories | Encrypted backup archives only. Since Backblaze receives only ciphertext and cannot decrypt it, no personal data is accessible to Backblaze. For GDPR purposes, Backblaze is nonetheless classified as a subprocessor because it stores encrypted archives that contain personal data in encrypted form. |
| Security posture | SOC 2 Type II audited. Data is encrypted before transmission; Backblaze cannot access, read, or decrypt the stored data. |
| Transfer mechanism | Backblaze Data Processing Agreement accepted. Standard Contractual Clauses (SCCs — Module 2) in place for the US-EU transfer. |
| Website | backblaze.com |
| Activated | Yes — active from initial service launch. |
3. Microsoft Corporation (Graph API — Model A)
| Field | Detail |
|---|
| Registered address | One Microsoft Way, Redmond, WA 98052, USA |
| Purpose | Outbound transactional email notifications. The Operator maintains a single SaaS-owned Microsoft 365 tenant (“Model A”) from which all platform-generated email is sent. This includes: exception approval and rejection notifications, incident deadline reminders (24h, 72h, 30d), overdue task alerts, audit-pack generation confirmations, account invitation emails, password reset emails, and critical security notices. |
| Data transmitted | Recipient email address; recipient display name or first name (for email salutation); notification content — which includes: exception or incident title, action required, due date or deadline, a link to the relevant item in the Service. Notification content does not include: audit log contents, evidence file contents, full-text exception descriptions, risk assessment details, or any other sensitive compliance data. |
| Data region / jurisdiction | The Operator’s SaaS-owned M365 tenant is configured in the EU region (data residency: EU). Email processing and storage occurs within Microsoft’s EU data centre footprint. |
| Personal data categories | Recipient email address; recipient name; notification content as described above. |
| Security posture | ISO 27001 certified; SOC 2 Type II audited; ISO 27018 (Cloud Privacy) certified. Microsoft’s Data Processing Addendum covers this use under the Microsoft Products and Services DPA. |
| Transfer mechanism | Microsoft Online Services Data Processing Addendum accepted. Standard Contractual Clauses (SCCs — Module 2) in place. EU data residency commitment for the M365 tenant in place. |
| Notes on Model B | When a Tenant connects their own Microsoft 365 mailbox (Model B — available as an optional feature), email for that Tenant is sent via the Tenant’s own Microsoft 365 subscription. In that configuration: (a) the Operator does not transmit email content to the Operator’s own M365 tenant; (b) the Tenant’s own Microsoft agreement governs the processing; (c) Microsoft processes data under the Tenant’s DPA with Microsoft, not under this subprocessor relationship. The Operator’s Graph OAuth token for Model B is encrypted in Vault and treated as Tenant data. |
| Website | microsoft.com |
| Activated | Yes — Model A active from initial service launch. Model B: not yet active. |
Self-hosted components (not subprocessors)
The following components process personal data but are operated entirely on Operator-controlled infrastructure. They are not third-party subprocessors within the meaning of GDPR Art. 28 because no personal data is transmitted to or accessible by any external entity.
HashiCorp Vault (self-hosted)
| Field | Detail |
|---|
| Purpose | Secret management and envelope encryption broker. Vault stores: per-tenant Data Encryption Keys (DEKs) for R2 evidence file encryption; OIDC client secrets for per-tenant SSO configurations; Microsoft Graph OAuth tokens for Model A and Model B; TOTP secrets for user MFA (as ciphertext wrapped by Vault’s transit engine); integration API keys. |
| Deployment | Self-hosted on the same VPS as the application (EU — Frankfurt). Vault is not a cloud-managed service; it runs as a container in the Operator’s Docker Compose stack. No Vault data leaves the Operator’s VPS except through the Cloudflare Tunnel (for administrative access via Cloudflare Access). |
| Personal data stored | Vault holds cryptographic key material and credential secrets — it does not directly store personal data about data subjects. It holds the keys that protect personal data stored in Postgres and R2. |
| Security posture | Vault is sealed at boot and requires manual unseal (or automated unseal via a secure external mechanism). Unseal keys are Shamir-shared (threshold 3 of 5 shares) and stored off-VPS: 1Password vault (shares 1–3) and hardware security tokens (shares 4–5). AppRole tokens issued to the application are short-lived ([TO BE COMPLETED: confirm AppRole token TTL — recommended ≤ 1 hour]) and scoped to the minimum necessary Vault policies. |
| Classification | Self-hosted; not a third-party subprocessor. |
Planned / conditional subprocessors NOT YET ACTIVE
Tenants will be notified at least 30 calendar days before any of these subprocessors are activated, per the change notification process in DPA §6.2.
| Service | Registered location | Condition for activation | Purpose | Data categories |
|---|
| Stripe, Inc. |
South San Francisco, CA, USA |
When self-serve billing is activated (planned Phase 2) |
Payment card processing and subscription self-management |
Billing contact name, email, payment card data (processed by Stripe, not stored by the Operator); subscription status |
| Polish VPS provider (e.g. OVHcloud Warsaw, Atman Warsaw, or equivalent) |
Poland |
When the Cyberzgodnošć EDU PL data plane is activated |
Application hosting, database, and object storage for PL-region Tenants |
All data categories for PL-region Tenants |
| Error tracking service (e.g. Sentry, self-hosted or cloud) |
[TBD] |
If self-hosted Sentry is not operationally feasible |
Application error tracking and stack trace capture — enables debugging of production issues |
IP addresses, user-agent strings, stack traces (Sentry’s scrubbing rules will be configured to exclude personal data before capture). Preference is self-hosted Sentry (which would not constitute a third-party subprocessor). |
Subprocessor change process
- The Operator evaluates the proposed new or replacement subprocessor against: (a) GDPR Art. 28 requirements; (b) adequacy of security posture (certifications, DPA, transfer mechanism); (c) data minimisation.
- The Operator negotiates a DPA with the subprocessor.
- The Operator updates this page with the new subprocessor details.
- The Operator sends a notification email to all Tenant Admins at least 30 calendar days before the new subprocessor processes any Tenant data.
- Tenants may object within the 30-day notice period per DPA §6.3. If a Tenant objects and the Operator cannot accommodate the objection, the Tenant may terminate without penalty.
Change log
| Date | Change |
|---|
| 2026-05-15 | Full draft published; Cloudflare, Backblaze, Microsoft (Graph API Model A) confirmed as active subprocessors. |
| 2026-05-14 | Initial stub published. |