We use the following sub-processors to provide the Service. This list forms part of the Data Processing Agreement.
Changes to this list will be announced at least 30 days before taking effect. Customers may object to the engagement of new sub-processors within 14 days for cause (see DPA).
Supabase Inc. (via Supabase EU)
Website →- Purpose
- Hosting of application database, authentication, file storage.
- Location
- EU (Frankfurt / aws eu-west-1, Ireland)
- Data categories
- Account and profile data, decision content, uploaded files, log data.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Processor DPA
- supabase.com/legal/dpa
Anthropic PBC
Website →- Purpose
- AI-assisted text generation and analysis (Claude) for Clarify, Ideate and Decide phases.
- Location
- USA
- Data categories
- Input content actively sent by users to the AI (questions, issue text, arguments). No account data.
- Legal basis
- Art. 28 GDPR (data processing agreement) combined with EU Standard Contractual Clauses and Anthropic zero-data-retention policy (data is not used for training).
- Transfer mechanism
- EU SCC Module 2 (C2P); Anthropic is certified under the EU-U.S. Data Privacy Framework.
- Processor DPA
- anthropic.com/legal/dpa
ALL-INKL.COM – Neue Medien Münnich
Website →- Purpose
- Web hosting for landing site (decidly.io).
- Location
- Germany
- Data categories
- Server logs, metadata.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
Resend (Resend.com, Inc.)
Website →- Purpose
- Delivery of transactional emails (password reset, invitations, notifications, digests).
- Location
- EU (aws eu-west-1, Ireland)
- Data categories
- Email address, name, notification content, delivery metadata (bounces, opens).
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Processor DPA
- resend.com/legal/dpa
Google Ireland Limited (Gmail)
Website →- Purpose
- Receipt of incoming support emails via Google Workspace.
- Location
- Ireland (EU) / USA
- Data categories
- Email content, sender address.
- Legal basis
- Art. 28 GDPR; EU SCC, EU-U.S. Data Privacy Framework.
GitHub, Inc.
Website →- Purpose
- Source code version control and automated deployments. No customer data processing.
- Location
- USA
- Data categories
- No customer data. Developer metadata only.
- Legal basis
- Art. 6(1)(f) GDPR (legitimate interest in code versioning).