Skip to content
  • There are no suggestions because the search field is empty.

Third-party Sub-processors

Which sub-processors have access to data?

Introduction

This article provides detailed information about each third-party sub-processor engaged to deliver and support our services.

Subscribe for updates

AEB
Automizely (Aftership)
Amazon AWS
CubeDev
Customer.io
Easypost
Google Cloud Platform (GCP)
HubSpot
Mailgun
OpenAI
Posthog
Print node
Segment
Shippypro
Labelary

Annex 1: Field descriptions

 

AEB

1. Summary of the processing: Integration to file export declarations for cross border shipments
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, address, email, phone number, purchased product information, spend amount
4. Nature of the processing: Transmission and filing of export declarations with customs systems; storage and retrieval of filings; status updates to users.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To generate expert decalarations for cross border shipments being booked by customers
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): Germany (EU)
8. Legal Safeguards (if outside EU/EEA): N/A (EU-based)
9. Relevant Security Certificates: Implements controls aligned with ISO/IEC 27001 (see vendor security concept).
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Per contract; retains customs filings per statutory requirements; deletion upon termination as agreed.
13. Configured region: EU (Germany/UK based services) 

Automizely (Aftership)

1. Summary of the processing: Getting live tracking data for logistics providers where we don't have a direct integration
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, address, email, phone number, purchased product information, spend amount
4. Nature of the processing: Collection and aggregation of shipment events from carriers; storage of tracking data; exposure via APIs and dashboards.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To give visibility on shipment status and to provide the data to audit charges against shipments
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): Hong Kong (global SaaS)
8. Legal Safeguards (if outside EU/EEA): Standard Contractual Clauses (SCCs)
9. Relevant Security Certificates: ISO27001
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Retention per customer configuration; AfterShip notes data retained as needed for tracking; deletion on request and per DPA.
13. Configured region: Global — carrier events; EU SCCs in place

Amazon AWS

1. Summary of the processing: Cloud hosting
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, job title, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: Cloud infrastructure hosting, storage, networking, database and managed services used by the application.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To provide hosting of the software to customers
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): Global (customer-selected regions)
8. Legal Safeguards (if outside EU/EEA): SCCs, DPA in place
9. Relevant Security Certificates: AWS has certification for compliance with ISO/IEC 27001:2022, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 20000-1:2018, 9001:2015
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Customer‑controlled retention; AWS deletes customer content upon termination and per data lifecycle tools (e.g., S3 lifecycle).
13. Configured region: EU + UK

CubeDev

1. Summary of the processing: Semantic data layer powering reporting in software UI
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Company, address, spend amount, spend description, contractual information.
4. Nature of the processing: Semantic data layer and query acceleration; indexing and caching of analytics data to serve UI reports.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To provide charting and reporting based on the customer's data
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States
8. Legal Safeguards (if outside EU/EEA): SCCs, PCI-DSS compliant
9. Relevant Security Certificates: SOC 2 (Type I)
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Analytics caches retained while service is active; deletion on termination per DPA.
13. Configured region: EU

Customer.io

1. Summary of the processing: Main transactional email service for sending emails triggered by the software.
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, job title, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: Message orchestration and email delivery triggered by application events; template rendering and dispatch.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To send emails to users of the software
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States
8. Legal Safeguards (if outside EU/EEA): SCCs incorporated in Customer.io Data Processing Addendum.
9. Relevant Security Certificates: ISO27001, SOC 2
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Logs and message data retained per workspace settings; Customer.io supports deletion requests and account closure deletion.
13. Configured region: US


Easypost

1. Summary of the processing: Integration to get quotes for shipments and also to book shipments with providers where we don't have direct integration
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, address, email, phone number, purchased product information, spend amount
4. Nature of the processing: Rate shopping, label purchase, shipment creation, address validation and tracking via API; transmission to carriers.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To get quotes for and book shipments with various logistics providers.
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States
8. Legal Safeguards (if outside EU/EEA): SCCs incorporated in EasyPost DPA.
9. Relevant Security Certificates: ISO27001
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Retains shipment records as needed for carrier and billing; deletion per DPA and account closure.
13. Configured region: US

Google Cloud Platform

1. Summary of the processing: Cloud hosting and geocoding addresses
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, job title, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: Cloud infrastructure and managed services (e.g., compute, storage, geocoding APIs) to run the application and derive geolocation.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To provide hosting of the software to customers. To dertermine the geolocation from an address.
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): Global (customer-selected regions)
8. Legal Safeguards (if outside EU/EEA): SCCs incorporated in Google Cloud Data Processing Addendum; EU Data Boundary options.
9. Relevant Security Certificates: ISO/IEC 27001/27017/27018/27701; SOC 2/3; CSA STAR
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Customer‑controlled retention via storage policies; deletion on resource removal; DPA commits to deletion or return after contract.
13. Configured region: UK

HubSpot

1. Summary of the processing: Main CRM and other tools for Marketing, Operations, Sales, Customer Support
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, job title, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: CRM, marketing and support tooling; storage of customer contact information and communications for service and support.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To support customers in using the software
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States / EU (regional hosting options)
8. Legal Safeguards (if outside EU/EEA): SCCs incorporated in HubSpot DPA; regional hosting options.
9. Relevant Security Certificates: ISO27001, SOC 2
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Data retained while account active; deletion on request and post‑termination per DPA timelines.
13. Configured region: US

Mailgun

1. Summary of the processing: Mail routing service for data coming into the software by email
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: Inbound mail routing and processing; parsing and relay of documents and metadata into the application.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To receive documents and data into the software
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States / EU (regional options via Sinch Mailgun)
8. Legal Safeguards (if outside EU/EEA): SCCs via Sinch Mailgun DPA; EU data residency available.
9. Relevant Security Certificates: ISO27001
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Message logs typically retained for a limited period (e.g., 30 days) depending on product; deletion on request and account closure.
13. Configured region: US

OpenAI

1. Summary of the processing: LLM to extract and structure data from documents received by the software
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: LLM-based extraction and transformation of document data; temporary processing of prompts and outputs for model inference.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To extract and transform data from documents sent to the software
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States (enterprise regional options may apply)
8. Legal Safeguards (if outside EU/EEA): SCCs available via OpenAI DPA; enterprise data residency controls.
9. Relevant Security Certificates: ISO27001, SOC 2, HPIAA, PCI
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Enterprise/API can opt for zero data retention; otherwise logs retained per enterprise settings; deletion per DPA.
13. Configured region: US

Posthog

1. Summary of the processing: Usage analytics and screen recording
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, job title, purchased product information, spend amount, spend description, contractual information.
4. Nature of the processing: Product analytics, event collection, and optional session recording for troubleshooting and usage insights.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To understand usage of the software and troubleshoot issues
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United Kingdom / EU (EU Cloud available)
8. Legal Safeguards (if outside EU/EEA): SCCs; EU hosting option (PostHog Cloud EU).
9. Relevant Security Certificates: SOC 2 Type II
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Event data retention configurable (e.g., PostHog Cloud default 3–15 months depending feature); deletion per user configuration.
13. Configured region: EU

Print node

1. Summary of the processing: Printer integration software to print shipping labels to warehouse printers
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number
4. Nature of the processing: Secure relay of print jobs (labels) from the application to customer printers over the internet.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To send labels to hardware printers over the internet
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United Kingdom (EU/UK)
8. Legal Safeguards (if outside EU/EEA): SCCs / UK IDTA per PrintNode DPA, as applicable.
9. Relevant Security Certificates: No ISO; Low risk activity - accepted by CTO
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Retains minimal job metadata; deletion per DPA and account closure.
13. Configured region: UK

Segment

1. Summary of the processing: Capturing and orchestrating user and server events from the software
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number, job title
4. Nature of the processing: Collection, processing and fan-out of application and user events to downstream tools; audience creation.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To feed data events to various other processes
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States / EU (Regional Segment)
8. Legal Safeguards (if outside EU/EEA): SCCs via Twilio/Segment; Regional Segment (EU) to localize processing.
9. Relevant Security Certificates: ISO27001, ISO27017, ISO27018, SOC 2
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Retention configurable; raw data deletion and suppression supported; deletion requests propagated to destinations.
13. Configured region: EU

 

Shippypro

1. Summary of the processing: Integration to get quotes for shipments, to book shipments and to get live tracking data for providers where we don't have direct integration.
2. Categories of data subjects whose personal data is processed: Senders and recipients of shipments
3. Categories of personal data processed: Name, address, email, phone number, purchased product information, spend amount
4. Nature of the processing: Carrier rate quotes, label generation, booking, and tracking where no direct carrier integration exists.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To get quotes for and book shipments with various logistics providers. To give visibility on shipment status and to provide the data to audit charges against shipments
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): Italy (EU)
8. Legal Safeguards (if outside EU/EEA): N/A (EU-based processing).
9. Relevant Security Certificates: ISO27001
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Retains shipping data for operational/audit needs; deletion per contract.
13. Configured region: EU (Italy)

 

Labelary

1. Summary of the processing: Integration to convert a zpl format shipping label to pdf
2. Categories of data subjects whose personal data is processed: Customers, End customers
3. Categories of personal data processed: Name, company, address, email, phone number
4. Nature of the processing: Conversion of ZPL shipping labels into PDF/PNG via a stateless API.
5. Purpose(s) for which the personal data is processed on behalf of the controller: To generate PDF versions of the industry standard zpl shipping labels
6. Duration of the processing: For the term of the service agreement and retention necessary to provide the service, then deletion per vendor policy or upon termination.
7. Location (Country): United States
8. Legal Safeguards (if outside EU/EEA): SCCs recommended for EU→US transfers (confirm via vendor terms).
9. Relevant Security Certificates: No public certifications published
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Encryption in transit (TLS) and at rest where supported; access controls and least privilege; logging and monitoring; vulnerability management; incident response and business continuity; role-based access; supplier due diligence.
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Cooperation on data subject rights, breach notification, records of processing, and DPIA support per vendor DPA.
12. Retention SLA: Stateless API; no persistent storage beyond request processing; no long‑term retention.
13. Configured region: US

Annex 1: Field Descriptions

1. Summary of the processing: A brief explanation of the service the sub-processor provides and the associated processing activity.
2. Categories of data subjects whose personal data is processed: The type of individuals whose personal data is handled (e.g., customers, employees, website users).
3. Categories of personal data processed: The specific types of personal data handled (e.g., name, address, email, IP address, usage data).
4. Nature of the processing: A description of how the data is processed (e.g., collection, recording, storage, use, disclosure, destruction).
5. Purpose(s) for which the personal data is processed on behalf of the controller: The specific reason the controller is engaging the sub-processor to process the personal data.
6. Duration of the processing: How long the personal data will be processed or stored by the sub-processor.
7. Location (Country): The country where the sub-processor is located or

where the data processing primarily takes place.
8. Legal Safeguards (if outside EU/EEA): The mechanism used to ensure the lawful transfer of personal data outside the European Union/European Economic Area (e.g., Standard Contractual Clauses (SCCs), adequacy decision).
9. Relevant Security Certificates: Information on the sub-processor's security certifications (e.g., ISO 27001, SOC 2).
10. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA: Details of the security measures put in place by the sub-processor to protect the personal data (e.g., encryption, access controls).
11. Technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: Details of measures that allow the sub-processor to assist the controller in meeting their data protection obligations (e.g., responding to data subject requests).
12. Retention SLA: Retention per vendor policy; deletion on request and on termination.
13. Configured region: Set per customer environment

This article was last updated 12-DEC-2025 v2.0