We use the following sub-processors to provide the Service. This list forms part of the Data Processing Agreement.
Changes to this list will be announced at least 30 days before taking effect. Customers may object to the engagement of new sub-processors within 14 days for cause (see DPA).
Supabase Inc. (via Supabase EU)
Website →- Purpose
- Hosting of application database, authentication, file storage.
- Location
- EU (Frankfurt / aws eu-west-1, Ireland)
- Data categories
- Account and profile data, decision content, uploaded files, log data.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Processor DPA
- supabase.com/legal/dpa
Anthropic PBC
Website →- Purpose
- AI-assisted text generation and analysis (Claude) for Clarify, Ideate and Decide phases.
- Location
- USA
- Data categories
- Input content actively sent by users to the AI (questions, issue text, arguments). No account data.
- Legal basis
- Art. 28 GDPR (data processing agreement) combined with EU Standard Contractual Clauses. According to Anthropic, API inputs and outputs are not used for model training by default; standard retention is up to 30 days unless a separate zero-data-retention agreement applies.
- Transfer mechanism
- EU SCC Module 2 (C2P); Anthropic is certified under the EU-U.S. Data Privacy Framework.
- Processor DPA
- anthropic.com/legal/dpa
ALL-INKL.COM – Neue Medien Münnich
Website →- Purpose
- Web hosting for landing site (decidly.io).
- Location
- Germany
- Data categories
- Server logs, metadata.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
Resend (Resend.com, Inc.)
Website →- Purpose
- Delivery of transactional emails (password reset, invitations, notifications, digests).
- Location
- EU (aws eu-west-1, Ireland)
- Data categories
- Email address, name, notification content, delivery metadata (e.g. delivery status, bounces).
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Processor DPA
- resend.com/legal/dpa
Google Ireland Limited (Gmail)
Website →- Purpose
- Receipt of incoming support emails via Google Workspace.
- Location
- Ireland (EU) / USA
- Data categories
- Email content, sender address.
- Legal basis
- Art. 28 GDPR; EU SCC, EU-U.S. Data Privacy Framework.
- Processor DPA
- workspace.google.com/terms/dpa_terms.html
Stripe Payments Europe, Limited
Website →- Purpose
- Payment processing for paid tiers, AI-credit top-ups, invoices and payment status synchronisation.
- Location
- Ireland (EU) / Stripe group and subprocessors in third countries
- Data categories
- Billing contact, Stripe customer ID, subscription and payment IDs, invoice and payment metadata. No full card numbers in Decidly.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Transfer mechanism
- EU SCC; the Stripe group and relevant subprocessors are additionally covered by the EU-U.S. Data Privacy Framework where applicable.
- Processor DPA
- stripe.com/legal/dpa
Vercel Inc.
Website →- Purpose
- Hosting and server-side execution of the Decidly application and internal admin dashboard.
- Location
- USA / global edge network
- Data categories
- HTTP request metadata, technical logs, serverless execution data and content transiently processed for individual requests.
- Legal basis
- Art. 28 GDPR (data processing agreement); DPA concluded.
- Transfer mechanism
- EU SCC; Vercel is certified under the EU-U.S. Data Privacy Framework.
- Processor DPA
- vercel.com/legal/dpa
GitHub, Inc.
Website →- Purpose
- Source code version control and automated deployments. No customer data processing.
- Location
- USA
- Data categories
- No customer data. Developer metadata only.
- Legal basis
- Art. 6(1)(f) GDPR (legitimate interest in code versioning).