Sub-processors
Last updated: June 25, 2026
Eyevinn Technology AB (organization number 556919-9952), which operates the Open Source Cloud platform at osaas.io, engages the third-party sub-processors below to help deliver the Services. Where you use the Services to process personal data, you are the controller and we act as your processor under GDPR Article 28; these sub-processors process personal data on our behalf and on your documented instructions. This page is maintained as the canonical, current list and is also the mechanism by which we notify customers of sub-processor changes (see "Changes to this list" below).
For our standard Data Processing Agreement, contact privacy@eyevinn.se. For how we process data as an independent controller (account, billing, platform operations), see our Privacy Policy.
Where your data is processed
Our primary processing infrastructure is located in Stockholm, Sweden (EU/EEA). Data processed via the Services is hosted in the EU/EEA on this primary infrastructure. We are migrating our primary infrastructure to a Swedish infrastructure provider (Elastx); that migration is in progress and does not change the EU/EEA location of your data. Some sub-processors that provide ancillary functions (authentication, payment, content delivery, and the optional AI feature) operate from outside the EU/EEA; for those, we rely on the safeguards in the table below.
Current sub-processors
Infrastructure and hosting
| Sub-processor | Purpose | Location | Safeguards for any non-EU transfer |
|---|---|---|---|
| Akamai Technologies, Inc. (Akamai Cloud Compute) | Compute, storage, networking, and managed Kubernetes for the Services. Where your application and its data are hosted. | Stockholm, Sweden (EU/EEA) | EU/EEA-resident; no Chapter V transfer arises. Akamai holds ISO/IEC 27001:2022, ISO 27017, ISO 27018, ISO 27701, and SOC 2 Type II. Data Processing Agreement in place. |
| Cloudflare, Inc. | Content delivery network, edge TLS termination, and DDoS protection. | United States, with global edge locations including the EU. | EU Standard Contractual Clauses (2021/914) and Cloudflare's Data Processing Addendum; EU-US Data Privacy Framework where certified. |
| Elastx AB | Swedish infrastructure provider; primary-infrastructure migration target. Migration in progress; not yet the primary host. | Sweden (EU/EEA) | EU/EEA-resident. Data Processing Agreement to be in place before any production cutover. Listed for transparency during the migration. |
Payment processing
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe (Stripe Payments Europe, Ltd. and affiliates) | Processes subscription payments. Stripe acts as an independent controller for payment data under its own privacy policy, so this falls outside our Article 28 processor chain, listed here for transparency. | EU (Ireland) with US operations | Stripe's Data Processing Agreement and EU Standard Contractual Clauses where applicable. PCI-DSS Level 1. |
Authentication (only where you choose that sign-in method)
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| GitHub, Inc. (Microsoft) | OAuth sign-in when you sign in with GitHub. Minimal data (token, user ID, email). | US with EU data centers | EU Standard Contractual Clauses (2021/914); Microsoft EU Data Boundary. |
| Google LLC | OAuth sign-in when you sign in with Google. Minimal data (token, user ID, email). | US with EU data centers | EU-US Data Privacy Framework (Google certified) with EU Standard Contractual Clauses as fallback. |
| Apple Inc. | "Sign in with Apple" when you choose it. Minimal data (token, user ID, relay email). | US with global operations | EU Standard Contractual Clauses; Apple's data-processing terms. |
Email magic-link and passkey (WebAuthn) sign-in involve no third-party identity sub-processor.
Analytics (self-hosted on our EU infrastructure)
| Tool | Purpose | Location | Note |
|---|---|---|---|
| Umami Analytics | Privacy-focused, cookieless web analytics. No cookies and no personal identifiers. | Self-hosted on our Stockholm (EU/EEA) infrastructure | Self-hosted; no third party has access, so not a separate sub-processor. |
AI model providers (only where you enable the AI feature, osaas-ai)
The optional osaas-ai feature sends prompt and operational content to a third-party AI model provider. We enforce a 7-day retention limit and pseudonymize user identifiers; the providers do not use this content to train their models under their commercial API terms.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic, PBC | AI model provider (Claude API) for the optional osaas-ai feature. | United States | EU-US Data Privacy Framework with EU Standard Contractual Clauses (Module 3, processor-to-processor) as fallback. Data Processing Agreement in place. |
| OpenAI, L.L.C. (OpenAI Ireland Ltd. for the EEA) | AI model provider (GPT API) for the optional osaas-ai feature. | United States | EU-US Data Privacy Framework with EU Standard Contractual Clauses (Module 3) as fallback. Data Processing Agreement in place (effective January 1, 2026). |
Changes to this list
We will notify customers at least 30 calendar days before adding or replacing a sub-processor, by:
- updating this page (the canonical, current list); and
- emailing the account contact on record.
If you object to a new sub-processor on reasonable data-protection grounds within 30 days, we will discuss it in good faith; if unresolved, you may terminate the affected Services without penalty, as set out in our Data Processing Agreement.
Questions
Contact privacy@eyevinn.se.