Skip to main content

Subprocessor List

Last updated: April 16, 2026 — v2026.31 | GDPR Article 28 Requirement

1. Introduction

Under GDPR Article 28, BrainPredict OÜ must disclose all sub-processors that process customer personal data. This page lists all third-party service providers used by BrainPredict.

Important:

All sub-processors have signed Data Processing Agreements (DPAs) and comply with GDPR requirements. Customer data remains in EU data centers unless otherwise noted.

2. Infrastructure Sub-processors

Hetzner Online GmbH

  • Purpose: Cloud infrastructure hosting, data storage, compute resources
  • Data Location: Germany (EU)
  • Data Processed: All customer data, application data, backups
  • Certifications: ISO 27001:2022, GDPR compliant
  • Website: hetzner.com
  • DPA: Signed

3. Payment Processing

BrainPredict OÜ invoices enterprise customers directly via SEPA credit transfer with Estonian e-invoices (Directive 2014/55/EU). No third-party payment processor or cardholder-data environment is used, therefore no payment sub-processor is engaged for billing activities.

4. Communication Sub-processors

Proton AG (Proton Mail)

  • Purpose: Secure email communications, transactional emails, customer support communications
  • Data Location: Switzerland (adequate data protection per EU Commission Decision)
  • Data Processed: Email addresses, names, email content (end-to-end encrypted)
  • Certifications: ISO 27001, GDPR compliant, Swiss Federal Data Protection Act
  • Website: proton.me
  • DPA: Signed
  • Encryption: End-to-end encryption, zero-access architecture
  • Note: Used for consultation booking confirmations, automated notifications, and customer communications

Proton AG (Proton Calendar)

  • Purpose: Calendar management, consultation booking, meeting scheduling
  • Data Location: Switzerland (adequate data protection per EU Commission Decision)
  • Data Processed: Meeting details, participant names, email addresses, calendar events (end-to-end encrypted)
  • Certifications: ISO 27001, GDPR compliant, Swiss Federal Data Protection Act
  • Website: proton.me/calendar
  • DPA: Signed
  • Encryption: End-to-end encryption, zero-access architecture
  • Note: Used for consultation booking system with 72-hour minimum booking window

Proton AG (Proton Meet)

  • Purpose: Secure video conferencing for consultations and customer meetings
  • Data Location: Switzerland (adequate data protection per EU Commission Decision)
  • Data Processed: Meeting participants, video/audio streams (end-to-end encrypted), meeting metadata
  • Certifications: ISO 27001, GDPR compliant, Swiss Federal Data Protection Act
  • Website: proton.me/meet
  • DPA: Signed
  • Encryption: End-to-end encryption, zero-knowledge architecture
  • Note: Used for €100 consultation sessions and customer support meetings

5. No Analytics or Tracking Sub-processors

Privacy-First Approach:

BrainPredict does NOT use third-party analytics, tracking, or advertising services. We do not share customer data with Google Analytics, Facebook Pixel, or similar services.

6. Sub-processor Change Notification

BrainPredict will notify customers of sub-processor changes:

  • Advance Notice: Minimum 30 days before adding new sub-processors
  • Notification Method: Email to account admin + update to this page
  • Objection Period: Customers have 14 days to object
  • Objection Process: Email privacy@brainpredict.ai with concerns
  • Resolution: If objection cannot be resolved, customer may terminate without penalty

7. Data Transfer Mechanisms

For sub-processors outside the EU:

  • Standard Contractual Clauses (SCCs): EU Commission approved SCCs in place
  • Adequacy Decisions: Transfers only to countries with EU adequacy decisions (where applicable)
  • Additional Safeguards: Encryption, access controls, audit rights

8. Sub-processor Audits

BrainPredict conducts regular sub-processor audits:

  • Frequency: Annual compliance reviews
  • Scope: Security practices, data handling, GDPR compliance
  • Certifications: Verify current ISO 27001, SOC 2, PCI-DSS certifications
  • Incident Response: Review data breach procedures and response times

9. Summary Table

Sub-processorPurposeLocationDPA
Hetzner Online GmbHInfrastructureGermany (EU)
Proton AG (Mail)Email CommunicationsSwitzerland
Proton AG (Calendar)Calendar & SchedulingSwitzerland
Proton AG (Meet)Video ConferencingSwitzerland

10. Contact Information

For questions about sub-processors or to object to changes:

BrainPredict OÜ - Data Protection Officer

DPO Name: M. Piccio

Email: m.piccio@brainpredict.ai

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Jõe tn 3-314, 10151, Estonia

Registry Code: 17352111