Last updated: 27 June 2026 · This page is the authoritative current list of sub-processors engaged by Ansvar.
This page lists the sub-processors that Ansvar Systems AB ("Ansvar") engages to Process Personal Data on behalf of its customers in connection with the Ansvar Gateway and related services. It is the authoritative, up-to-date list and is incorporated into Annex 3 of the Data Processing Addendum. Ansvar remains liable to the customer for the acts and omissions of its sub-processors.
| Name | Role / service | Address of establishment | Location(s) of the Processing | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure and hosting; key-management infrastructure | Industriestr. 25, 91710 Gunzenhausen, Germany | Germany (Falkenstein DC + Storage Box, same campus) | None required — processing within the EEA |
| Cloudflare, Inc. | TLS termination, CDN, WAF, DDoS protection | 101 Townsend Street, San Francisco, CA 94107, USA | EU edge (TLS termination) + US routing | Terminates TLS and processes traffic in transit at the EU edge; some routing/processing may occur in the US. Covered by the EU–US Data Privacy Framework (Cloudflare self-certified) + EU SCCs (Module 2/3) as fallback. |
| Stripe | Payment processing for paid subscriptions | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland | Primarily Ireland (EEA); onward to Stripe, Inc. (US) for some processing | EU SCCs + EU–US Data Privacy Framework (Stripe, Inc. self-certified) |
| Scaleway TEM | Transactional email (account, billing, security notifications) | 8 rue de la Ville l'Évêque, 75008 Paris, France | France (fr-par region) | None required — processing within the EEA |
| Microsoft 365 | Productivity, email, and support tooling | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland | EU Data Boundary (EEA); limited onward to Microsoft Corp. (US) for support/telemetry | EU SCCs + EU–US Data Privacy Framework (Microsoft self-certified); EU Data Boundary minimises transfers |
| DigiCert, Inc. | RFC-3161 timestamping of the aggregate Merkle root hash only — Team/Company Audit Ledger feature | 2801 N. Thanksgiving Way, Lehi, UT 84043, USA | United States (RFC-3161 timestamp authority) | No Personal Data is transferred — only the daily aggregate Merkle root hash (no PII, irreversible). Backstop: DigiCert, Inc. self-certifies under the EU–US Data Privacy Framework (incl. the UK Extension and Swiss–US DPF) per its published privacy notice. |
Ansvar provides prior written notice to customers of any intended addition or replacement of a sub-processor at least fifteen (15) calendar days before the change takes effect, and customers may object within ten (10) calendar days on reasonable data-protection grounds specific to the relevant sub-processor, in accordance with the "Sub-processors" section of the DPA. To be notified of changes, or to raise an objection, contact privacy@ansvar.eu.
See the Data Processing Addendum for the full GDPR Article 28 processing terms, the Privacy Notice for processing where Ansvar acts as controller, and the Terms of Service for the general subscription terms.