1. What is a sub-processor?
A sub-processor is any third party that processes Customer Data on Complair's behalf — for example, an infrastructure provider that hosts our database, or an API vendor that powers a feature. Under the GDPR, we (Complair) act as a Processor for Customer Data, and our sub-processors act as further Processors. Engaging a sub-processor requires Customer authorisation; this page provides that authorisation.
For full contractual terms see our Data Processing Agreement.
2. Current sub-processors
The list below is the single source of truth for Complair's sub-processors. Where this conflicts with another document, this page wins.
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Application hosting, PostgreSQL database, encrypted backups | All Customer Data at rest | Germany (EU) | Within EEA — no transfer mechanism required |
| Anthropic, PBC | Claude API — AI risk classification, compliance assistant, document generation | Prompt content (AI system descriptions, user queries) | United States | EU SCCs (Module 3) + supplementary measures |
| Stripe Payments Europe Ltd. | Subscription billing, payment processing, invoicing | Billing contact details, subscription metadata | Ireland (EU) | Within EEA |
| Resend (Resend, Inc.) | Transactional email delivery (invitations, password resets, notifications, regulatory digest) | Recipient email addresses, email content | United States | EU SCCs (Module 3) |
| Sentry | Application error monitoring (personal data minimised and scrubbed) | Anonymised error traces, truncated IP addresses | European Union | Within EEA |
All sub-processors above are bound by a written data-processing agreement that imposes obligations no less protective than our own DPA with you.
3. How sub-processor changes are managed
- 30-day advance notice. When we plan to add or replace a sub-processor, we email Enterprise workspace owners 30 days before the change takes effect.
- 5-day page update. The list above is updated within 5 business days of any change taking effect.
- Right to object. Customers may object on reasonable data-protection grounds within the 30-day notice window. We work in good faith to find alternatives. If no resolution is possible, the affected service component may be terminated without penalty.
- Continuing liability. Complair remains fully liable for the acts and omissions of its sub-processors as if they were its own.
4. International transfers
Customer Data is stored in Frankfurt, Germany (EU). Where a sub-processor is located outside the EEA, we ensure an adequate transfer mechanism is in place:
- Standard Contractual Clauses — Module 3 (Processor-to-Sub-processor) as adopted by the European Commission Decision 2021/914.
- Supplementary measures — encryption in transit and at rest, contractual restrictions on government access, transfer impact assessments, and data minimisation.
- No training on Customer Data — for AI sub-processors, contracts explicitly prohibit using prompt content to train models.
Copies of executed SCCs are available on request at privacy@complair.eu.
5. How to receive change notifications
- Enterprise customers receive 30-day advance email notification to the workspace owner.
- Growth and Scale customers can subscribe to changes via the form below — we email each time this page updates.
- Anyone can monitor this page directly. The Last updated date at the top changes with every revision.
Subscribe to change notifications: privacy@complair.eu.
6. Change log
Material changes to the sub-processor list, ordered most recent first.
- 2026-05-04 — Initial publication of dedicated sub-processor page. List unchanged from existing DPA Section 6.
7. Contact
Questions about a specific sub-processor, transfer mechanism, or change: privacy@complair.eu.
For the contractual basis governing all sub-processors, see our Data Processing Agreement.