Sub-processors
Last updated 2026-04-26 · Effective from 2026-04-26
This page is the single source of truth for all third parties processing Kiseki Customer data. It is updated whenever a vendor is added or changed; Customers are notified at least 30 days in advance per the DPA §5.4.
Current sub-processors
| # | Vendor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|---|
| 1 | Anthropic | AI text generation (Claude Opus 4.7) | Ad copy briefs, prospect conversation context, generated copy | US | link |
| 2 | OpenAI | AI image generation (gpt-image-1), text embeddings | Ad creative briefs, prompt context, generated images | US | link |
| 3 | Supabase | Database (Postgres + storage) | Tenant configuration, ad creative metadata, prospect conversations, payment tokens | EU (eu-west-1) | link |
| 4 | Cloudflare | CDN, DNS, DDoS protection, edge caching | Visitor IP addresses, browser metadata, request / response data | US | link |
| 5 | Hetzner Online GmbH | Server infrastructure (Kiseki backend hosting) | All Kiseki data at rest (encrypted), all backend computation | DE (EU) | link |
| 6 | Resend | Transactional email delivery | Customer email addresses, email content (welcome, billing, notifications) | US | link |
| 7 | Polar.sh | Merchant of Record, payment processing, tax compliance | Customer billing data, payment methods, transaction history | US | link |
| 8 | Mux | Video hosting (VSL Builder) | Customer-uploaded videos, video analytics | US | link |
| 9 | Apify | Competitor research scraping | Public web data (competitor ads, public profiles); no Customer PII | US | link |
| 10 | Upstash | Redis (queue + caching) | Job queue payloads (ephemeral), session caches | US / EU multi-region | link |
| 11 | Meta Platforms (Facebook / Instagram) | Advertising delivery (Marketing API) | Customer ad creative, ad spend, audience targeting parameters, campaign performance | US | link |
| 12 | Google LLC (Workspace) | Email, calendar, docs (internal Kiseki team only — not Customer data) | Internal team comms only | US | link |
Cross-border data transfers
Kiseki transfers data to:
- United States: Anthropic, OpenAI, Cloudflare, Resend, Polar, Mux, Apify, Meta, Google
- European Union (Germany): Hetzner
- European Union (Ireland — eu-west-1): Supabase
- Multi-region (US / EU): Upstash
Legal basis for EU → US transfers
- All US sub-processors covered by Standard Contractual Clauses (SCCs) in their DPAs;
- Data minimization: only data strictly necessary for service delivery;
- No special category data (Art. 9 GDPR) without explicit consent;
- Encryption at rest (AES-256) and in transit (TLS 1.3) across all transfers.
Sub-processor change notification
Per DPA §5.4, Kiseki notifies Customers at least 30 days in advance of adding or changing sub-processors via:
- Email to
legal@on the customer's domain (if configured) or to the primary admin; - Update to this page;
- Customer has 30 days to object; if no resolution, Customer may terminate.
Questions
Privacy and sub-processor questions: privacy@thekiseki.app