Subprocessors
Last updated: 14 June 2026
This page identifies third-party subprocessors that SUNURA uses to process Customer Personal Data in connection with the SUNURA website, platform, dashboards, APIs, widgets, integrations, disclosure workflows, evidence records, public verification pages, exports, support, billing, and related services.
A subprocessor is a third party engaged by SUNURA to process Customer Personal Data on behalf of SUNURA where SUNURA acts as processor for a Customer.
This page does not list every ordinary business supplier used by SUNURA. A supplier is listed as a subprocessor only where it processes Customer Personal Data on behalf of SUNURA in connection with the Services.
SUNURA does not publish unnecessary operational architecture, server names, IP addresses, internal security configurations, detailed network topology, or other sensitive technical implementation details in this public list.
SUNURA is not a law firm and does not provide legal advice, regulatory advice, legal representation, certification, conformity assessment, or a guarantee of compliance with the EU AI Act, GDPR, ePrivacy law, consumer-protection law, advertising law, platform rules, or other applicable law.
1. Relationship with the DPA
Where SUNURA processes Customer Personal Data as processor on behalf of a Customer, the SUNURA Data Processing Addendum applies.
The Customer gives SUNURA general written authorization to engage subprocessors as described in the DPA, the applicable Agreement, and this Subprocessor page.
SUNURA remains responsible for the acts and omissions of its subprocessors to the extent required by applicable data-protection law and the Agreement.
2. Subprocessor change notice
SUNURA may add, replace, or remove subprocessors from time to time.
SUNURA will provide notice of a new or replacement subprocessor at least 30 days before the change takes effect, unless a shorter period is required for security, legal, emergency, service-continuity, or urgent operational reasons.
Notice may be provided through this page, customer dashboard notice, email, DPA notice, order-form notice, or another commercially reasonable method.
Customers may object to a new or replacement subprocessor on reasonable data-protection grounds within the notice period.
If a Customer objects, SUNURA and the Customer will work in good faith to address the objection.
If the objection cannot reasonably be resolved, the Customer may terminate the affected Services in accordance with the Agreement.
3. Active subprocessors
The table below should list only providers that actually process Customer Personal Data for SUNURA production services.
| Service category | Provider | Purpose | Customer Personal Data processed | Processing region / transfer mechanism | Status | Notes |
|---|---|---|---|---|---|---|
| Payment processing | Stripe | Subscription billing, payment processing, invoice support, payment-status handling | Billing contact details, invoice details, subscription metadata, payment metadata, transaction identifiers | As described in Stripe’s applicable data processing terms; international transfers are governed by applicable transfer safeguards, including SCCs where required | Active | SUNURA does not intentionally store full payment-card numbers |
| Hosting / infrastructure | [To be updated] | Application hosting, compute, infrastructure, deployment environment | Account data, workspace data, evidence records, proof-capture metadata, API data, export data where applicable | [To be updated] | Active once production customer data is hosted | Must be completed before paid production launch |
| Database / data storage | [To be updated] | Database hosting, object storage, backups, evidence-record storage, export storage | Account data, workspace data, evidence records, proof-capture data, public-verification metadata, exports, logs where applicable | [To be updated] | Active once production customer data is stored | Must be completed before paid production launch |
| Email delivery | [To be updated] | Account emails, login emails, service notices, security notices, support communications | Email address, name where applicable, message metadata, transactional-message content | [To be updated] | Active once transactional email is enabled | Do not use “to be confirmed” in production |
| DNS / edgebeveiliging / CDN | [To be updated] | DNS, TLS, traffic protection, DDoS mitigation, edgerouting, web security | IP address, request metadata, headers, security logs, technical metadata where applicable | [To be updated] | Active if enabled for production traffic | List only if provider processes Customer Personal Data |
| Logging / error monitoring | [To be updated] | Error monitoring, diagnostics, incident investigation, reliability monitoring | Technical logs, error traces, request metadata, user or workspace identifiers where applicable | [To be updated] | Optional / active if enabled | Avoid sending secrets, payloads, or unnecessary personal data |
| Product analytics | [To be updated] | Product usage analytics, feature measurement, service improvement | Pseudonymous usage data, event metadata, device/browser metadata where applicable | [To be updated] | Optional / active if enabled | Use only where lawful and configured; consent may be required for non-essential analytics |
4. Prospective providers
Prospective providers are not active subprocessors until SUNURA engages them for production processing of Customer Personal Data.
SUNURA may evaluate prospective providers for hosting, storage, email delivery, analytics, logging, security, support, customer communication, documentation, or operational tooling.
SUNURA should not place prospective providers in the active subprocessor table unless they actually process Customer Personal Data.
5. Optional subprocessors
Some subprocessors may apply only if the Customer enables a specific feature, plan, integration, support channel, payment flow, or deployment option.
Examples may include:
- advanced analytics;
- error monitoring;
- support-ticket attachments;
- public verification pages;
- evidence exports;
- agency workspaces;
- API automation;
- custom hosting;
- enterprise deployment;
- C2PA or provenance services;
- KMS/HSM or signing infrastructure.
- Where optional subprocessors are used only for certain plans or features, SUNURA will identify that status in the table where commercially reasonable.
6. Data processed by subprocessors
Depending on the Service, plan, configuration, and feature used, subprocessors may process:
- account information;
- workspace and user-role information;
- billing-contact information;
- payment metadata;
- customer configuration data;
- AI use-case records;
- disclosure notice text;
- evidence records;
- render-proof metadata;
- hashes and verification identifiers;
- public-verification metadata;
- export metadata;
- API request metadata;
- technical logs;
- IP addresses or request metadata;
- support communications.
- Customers should avoid submitting unnecessary, excessive, confidential, sensitive, or unlawful personal data to SUNURA.
Unless expressly agreed in writing, customers must not intentionally submit special categories of personal data, criminal-offence data, children’s data, biometric templates, health data, government identifiers, payment-card numbers, passwords, secrets, private keys, or highly confidential third-party data to the Services.
7. International transfers
SUNURA aims to use European Economic Area processing locations where commercially and technically appropriate for production customer data.
Where a subprocessor processes Customer Personal Data outside the European Economic Area,
SUNURA uses an applicable transfer mechanism, such as:
- an adequacy decision;
- the European Commission Standard Contractual Clauses;
- the UK International Data Transfer Agreement or UK Addendum, where applicable;
- Swiss transfer safeguards, where applicable;
- another lawful transfer mechanism available under applicable data-protection law.
- Where required, SUNURA assesses whether supplementary technical, contractual, or organizational measures are necessary.
8. Subprocessor obligations
SUNURA requires subprocessors that process Customer Personal Data to enter into written terms imposing data-protection obligations materially no less protective than those imposed on SUNURA under the DPA, to the extent applicable to the subprocessor’s services.
Such obligations may include:
- processing only for authorized purposes;
- confidentiality;
- appropriate technical and organizational security measures;
- support for breach investigation and notification;
- assistance with data-subject requests where applicable;
- deletion or return obligations;
- restrictions on onward subprocessors;
- international transfer safeguards where required.
9. Customer responsibility
Customers remain responsible for:
- selecting lawful SUNURA configurations;
- ensuring that disclosure workflows are legally appropriate;
- deciding whether public verification pages should be enabled;
- reviewing evidence records before export or publication;
- avoiding unnecessary personal data in screenshots, DOM captures, URLs, API payloads, exports, and support tickets;
- determining whether their own use of AI systems, synthetic content, deepfakes, public-interest text, biometric categorization, emotion recognition, analytics, or evidence capture complies with applicable law.
10. Security-sensitive details
For security reasons, SUNURA does not publish:
- server names;
- IP addresses;
- database names;
- internal network topology;
- firewall rules;
- private keys or key-management details;
- security-sensitive infrastructure diagrams;
- internal vulnerability reports;
- non-public incident details;
- credentials, tokens, or operational secrets.
- Customers requiring additional security or vendor-risk information may request appropriate security documentation under confidentiality, where available and commercially reasonable.
11. Contact
Questions about subprocessors may be sent to:
SUNURA Privacy / Subprocessor Contact
Email: [email protected]