Subprocessors
October 23rd, 2025
Sub-Processors
Last updated: 23 October 2025
This page forms part of Annex III to the DPA and is incorporated by reference.
To provide our services effectively, we engage certain third parties as Sub-Processors. Each Sub-Processor is bound by a GDPR-compliant DPA and appropriate technical and organizational measures. For entities outside the EEA/UK/CH, we rely on EU-US Data Privacy Framework (where applicable) and/or EU Standard Contractual Clauses (SCCs); for the UK we apply the UK Addendum. Data locations may be customer-configurable. All data in transit is protected using TLS 1.2+.
Notification of Changes
We will notify all registered users by email at least 30 days in advance before adding a new Sub-Processor. You may also request to be added to our notification list at contact@chatlab.com.
You may object within 7 days of notice on reasonable data protection grounds (see DPA §4.2). In urgent cases (e.g., security incident), we may engage a Sub-Processor without prior notice and will inform you without undue delay, preserving your 7-day objection right (DPA §4.6).
Current Sub-Processors
1. Amazon Web Services
Legal entity (EEA): Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg, LU Legal entity (US): Amazon Web Services, Inc., 410 Terry Ave N, Seattle, WA 98109, US Jurisdiction of establishment: LU / US Contact: AWS Contact
Data processing locations: EU regions and/or US (customer-configurable) Transfer mechanism: EU-US DPF (where applicable) and/or EU SCCs; UK Addendum where applicable Purpose: Cloud infrastructure, databases, storage, networking
2. OpenAI
Legal entity: OpenAI, L.L.C., 3180 18th St, San Francisco, CA 94110, US Jurisdiction of establishment: US Contact: privacy@openai.com
Data processing locations: US (provider-dependent) Transfer mechanism: EU SCCs; UK Addendum where applicable Purpose: API-based language processing/generation for chatbot responses
3. Google (Gemini / Vertex AI)
Legal entity (EEA): Google Ireland Limited, Gordon House, Barrow St, Dublin 4, IE Legal entity (US): Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043, US Jurisdiction of establishment: IE / US Contact (DPO): Google Cloud DPO
Data processing locations: EU and/or US (service/region configurable) Transfer mechanism: EU-US DPF (where applicable) and/or EU SCCs; UK Addendum where applicable Purpose: AI language processing/generation
4. Pinecone
Legal entity: Pinecone Systems, Inc., 405 Howard St, Suite 300, San Francisco, CA 94105, US Jurisdiction of establishment: US Contact: privacy@pinecone.io
Data processing locations: EU and/or US (index region configurable) Transfer mechanism: EU SCCs; UK Addendum where applicable Purpose: Vector database (storage/retrieval of embeddings for RAG context)
5. Cloudflare
Legal entity: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, US Jurisdiction of establishment: US (with global network including EU) Contact: privacyquestions@cloudflare.com
Data processing locations: Global edge network (incl. EU) Transfer mechanism: EU-US DPF (where applicable) and/or EU SCCs; UK Addendum where applicable Purpose: CDN, DDoS protection, WAF, DNS, performance/security
6. Brevo (formerly Sendinblue)
Legal entity: Sendinblue SAS (trading as "Brevo"), 7 Rue de Madrid, 75008 Paris, FR Jurisdiction of establishment: FR Contact: privacy@brevo.com
Data processing locations: EU (e.g., FR/DE) Transfer mechanism: GDPR-compliant DPA (EEA-based processor) Purpose: Transactional email (notifications, password resets, account updates)
7. Stripe
Legal entity (EEA): Stripe Payments Europe, Ltd., The One Building, 1 Grand Canal Street Lower, Dublin 2, IE Legal entity (US): Stripe, Inc., 510 Townsend St, San Francisco, CA 94103, US Jurisdiction of establishment: IE / US Contact: privacy@stripe.com
Data processing locations: EU and/or US (service-dependent) Transfer mechanism: EU-US DPF (where applicable) and/or EU SCCs; UK Addendum where applicable Purpose: Payment processing, subscription billing
Purpose of Processing
These Sub-Processors perform discrete functions necessary to deliver, secure, and support our services. Each undergoes due diligence and periodic review for security and GDPR compliance.