Skip to main content

Subprocessor List

Last updated: November 16, 2025 | GDPR Article 28 Requirement

1. Introduction

Under GDPR Article 28, BrainPredict OÜ must disclose all sub-processors that process customer personal data. This page lists all third-party service providers used by BrainPredict.

Important:

All sub-processors have signed Data Processing Agreements (DPAs) and comply with GDPR requirements. Customer data remains in EU data centers unless otherwise noted.

2. Infrastructure Sub-processors

Hetzner Online GmbH

  • Purpose: Cloud infrastructure hosting, data storage, compute resources
  • Data Location: Germany (EU)
  • Data Processed: All customer data, application data, backups
  • Certifications: ISO 27001:2022, GDPR compliant
  • Website: hetzner.com
  • DPA: ✅ Signed

3. Payment Processing Sub-processors

Stripe, Inc.

  • Purpose: Payment processing, subscription billing, invoicing
  • Data Location: USA (with EU data residency option)
  • Data Processed: Payment information, billing details, customer names, email addresses
  • Certifications: PCI-DSS Level 1, SOC 2 Type II, GDPR compliant
  • Website: stripe.com
  • DPA: ✅ Signed (available at stripe.com/legal/dpa)
  • Standard Contractual Clauses: ✅ Yes (for EU-US data transfers)

4. Communication Sub-processors

Proton AG (Proton Mail)

  • Purpose: Secure email communications, transactional emails, customer support communications
  • Data Location: Switzerland (adequate data protection per EU Commission Decision)
  • Data Processed: Email addresses, names, email content (end-to-end encrypted)
  • Certifications: ISO 27001, GDPR compliant, Swiss Federal Data Protection Act
  • Website: proton.me
  • DPA: ✅ Signed
  • Encryption: End-to-end encryption, zero-access architecture
  • Note: Used for AI Calendar meeting reminders (72h, 24h, 1h before meetings) and consultation booking confirmations

Microsoft Corporation (Microsoft Teams)

  • Purpose: Video conferencing, meeting scheduling, calendar integration for AI Calendar consultations
  • Data Location: EU data centers (Microsoft EU Data Boundary)
  • Data Processed: Meeting details, participant names, email addresses, calendar events, meeting recordings (optional)
  • Certifications: ISO 27001, ISO 27018, SOC 2 Type II, GDPR compliant
  • Website: microsoft.com/microsoft-teams
  • DPA: ✅ Signed (Microsoft Customer Agreement includes DPA)
  • Standard Contractual Clauses: ✅ Yes (EU Model Clauses)
  • Graph API: Used for meeting creation, Outlook calendar sync, and automated scheduling
  • Note: Used exclusively for AI Calendar Professional and Enterprise plans with opt-in consent

5. No Analytics or Tracking Sub-processors

Privacy-First Approach:

BrainPredict does NOT use third-party analytics, tracking, or advertising services. We do not share customer data with Google Analytics, Facebook Pixel, or similar services.

6. Sub-processor Change Notification

BrainPredict will notify customers of sub-processor changes:

  • Advance Notice: Minimum 30 days before adding new sub-processors
  • Notification Method: Email to account admin + update to this page
  • Objection Period: Customers have 14 days to object
  • Objection Process: Email privacy@brainpredict.ai with concerns
  • Resolution: If objection cannot be resolved, customer may terminate without penalty

7. Data Transfer Mechanisms

For sub-processors outside the EU:

  • Standard Contractual Clauses (SCCs): EU Commission approved SCCs in place
  • Adequacy Decisions: Transfers only to countries with EU adequacy decisions (where applicable)
  • Additional Safeguards: Encryption, access controls, audit rights

8. Sub-processor Audits

BrainPredict conducts regular sub-processor audits:

  • Frequency: Annual compliance reviews
  • Scope: Security practices, data handling, GDPR compliance
  • Certifications: Verify current ISO 27001, SOC 2, PCI-DSS certifications
  • Incident Response: Review data breach procedures and response times

9. Summary Table

Sub-processorPurposeLocationDPA
Hetzner Online GmbHInfrastructure🇩🇪 Germany (EU)
Stripe, Inc.Payments🇺🇸 USA + 🇮🇪 Ireland
Proton AGEmail Communications🇨🇭 Switzerland
Microsoft CorporationVideo Conferencing🇪🇺 EU Data Centers

10. Contact Information

For questions about sub-processors or to object to changes:

BrainPredict OÜ - Data Protection Officer

Email: privacy@brainpredict.ai

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Jõe tn 3-314, 10151, Estonia

Registry Code: 17352111