| Sub-processor | Function | Region | DPA / SCC reference |
|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting (compute, storage, snapshots) | Nuremberg, Germany | hetzner.com/legal/order-processing-agreement |
| Cloudflare Inc. | DNS, CDN, WAF, DDoS mitigation | EU edge + global | cloudflare.com/cloudflare-customer-dpa |
| Vercel Inc. | Frontend hosting (powerquant.dk) | EU + US edge | vercel.com/legal/dpa |
| Supabase Inc. | Postgres + Auth + Storage | Frankfurt, Germany | supabase.com/dpa |
| Anthropic PBC | LLM inference (Claude); zero-retention API mode | US (SCCs Module 2) | anthropic.com/legal/dpa |
| OpenAI L.L.C. | LLM + embeddings; zero-retention API mode | US (SCCs Module 2) | openai.com/policies/data-processing-addendum |
| Cohere Inc. | LLM reranker | US/EU (SCCs Module 2) | cohere.com/legal/dpa |
| Stripe Inc. + Stripe Payments Ireland Ltd | Payment processing | Ireland EU + US | stripe.com/legal/dpa |
| Resend Inc. | Transactional email | EU | resend.com/legal/dpa |
| Telegram FZ-LLC | Operational alerts to founder (NOT customer data) | Dubai (founder ops only) | telegram.org/privacy |
International transfers
For US-based sub-processors (Anthropic, OpenAI, Cohere, Stripe US, Telegram), PowerQuant relies on:
- Standard Contractual Clauses (SCCs) — EU Commission 2021/914
- Sub-processor-specific Transfer Impact Assessment — kept internally, summary on NDA-bound request
- Data Privacy Framework certification where available (Anthropic, OpenAI, Stripe US)
Module 2 (controller-to-processor) is used for AI/embedding sub-processors. Module 4 (processor-to-controller) is used for Stripe payment-data, where Stripe acts as data-controller for KYC/AML.
Notification of changes
PowerQuant gives 30 days' notice of any new sub-processor (via email + this page updated with effective-date marker). Customer objection window: 14 days. Objection resolves per DPA §10 — typically by alternative sub-processor identification, workaround acceptance, or mutual termination with pro-rata refund.