Subprocessors
This page lists the third-party providers ("subprocessors") that Accordix uses to process personal data on behalf of its customers. It supports the Data Processing Agreement and the Privacy Policy.
We will update this page before adding subprocessors that materially process Customer Personal Data.
Current subprocessors
| Provider | Purpose | Data processed | Location / region | Transfer mechanism | DPA / link | Status |
|---|---|---|---|---|---|---|
| Render (Render Services, Inc.) | Application hosting, managed PostgreSQL database, and persistent file storage | Account data, workspace metadata, and uploaded documents (which may contain personal data) | EU — Frankfurt, Germany | EU-hosted; for the US-headquartered provider, Standard Contractual Clauses apply under the provider's Data Processing Agreement | https://render.com/legal | Active |
| CloudMailin | Outbound transactional email (verification, reminders) and inbound document intake by email | Recipient email address, message metadata, reminder content (client name and requirement title only), and inbound email attachments | Provider-operated | Provider Data Processing Agreement; adequacy decision or Standard Contractual Clauses as applicable | https://www.cloudmailin.com/legal | Active |
| Meta Platforms Ireland Limited (WhatsApp Cloud API) | Inbound document intake via WhatsApp, only where the Customer enables it (disabled by default) | Sender phone number, message metadata, and inbound attachments | EU contracting entity; provider processes data globally | Provider Data Processing Terms; Standard Contractual Clauses as applicable | https://www.whatsapp.com/legal | Active where enabled |
| Google Cloud Vertex AI (Gemini) — Google Cloud EMEA Limited | AI analysis of a document a Customer links to a request, to suggest other documents that may still be missing ("find missing linked documents") — only where an accountant ticks the per-request opt-in | The raw linked document file (PDF / JPG / PNG / CSV), which may contain personal and financial data (e.g. bank statements, supplier names, amounts, IBANs) | EU — Vertex AI eu multi-region (data residency) |
EU-hosted; for the US-headquartered group, Standard Contractual Clauses apply under the Google Cloud Data Processing Addendum | https://cloud.google.com/terms/data-processing-addendum | Active where enabled |
Notes on the current setup:
- Reminder emails deliberately carry only the client name and requirement title — never document contents such as supplier names, amounts, or invoice numbers.
- Routine text extraction and document classification still run locally (no third-party OCR/AI provider). The only path where document contents reach a third-party AI provider is the optional "find missing linked documents" feature: when an accountant enables it on a specific request and a document is linked, the raw file is sent to Google Cloud Vertex AI (listed above) to generate suggestions. It is opt-in per request, the output is suggestions a human reviews (no automated decision about the data subject), and a failure never blocks the upload. See
docs/13-linked-document-detection.md. - WhatsApp intake is disabled by default and processes data only where a Customer explicitly enables it.
Not currently used
Accordix does not currently use the following categories. If any are introduced, this page and the relevant documents must be updated first:
- third-party website or product analytics / tracking;
- a payment provider (billing is not implemented);
- a separate object-storage provider (files are stored on the hosting provider's persistent disk);
- a third-party error-monitoring provider;
- a customer support / helpdesk platform that stores customer data.
Contact
Questions about our subprocessors: privacy@accordix.sk.