Overview of all sub-processors pursuant to GDPR Art. 28 paras. 2 and 3 and revDSG Art. 9 para. 3 · Stand: 2026-05-02
To operate the platform, the provider engages sub-processors. This page lists all current sub-processors with purpose, processing region and the status of the data processing agreement (DPA). The list is updated whenever changes occur; pursuant to section 15 of the Terms, customers may raise reasoned objections within 30 days.
| Provider | Purpose | Region | DPA status | Last change |
|---|---|---|---|---|
| MongoDB Atlas | Database hosting (operational data, CSFLE-encrypted fields, audit trails) | europe-west6 (Zurich) | Atlas DPA | 2026-05-02 |
| Google Cloud EMEA Limited (Cloud Run, Cloud Storage, Cloud KMS, Cloud DLP, Vertex AI) | Compute, file storage, key management (key sovereignty remains with the provider), pseudonymisation prior to AI processing, AI processing | europe-west6 (Zurich) for operational data, europe-west1 (Belgium) for AI processing | Google Cloud Data Processing Addendum (in force) | 2026-05-02 |
| AWS SES | Transactional email delivery (system notifications, login emails, reports) | eu-central-1 (Frankfurt) | AWS DPA | 2026-05-02 |
| Cloudflare Turnstile | Bot protection for public forms (login, registration, contact forms) | global (edge network) | Cloudflare DPA | 2026-05-02 |
| Twilio | SMS 2FA for portal users (second authentication factor) | EU region | Twilio DPA | 2026-05-02 |
| PostHog EU Cloud | Product analytics — pseudonymised product and behavioural telemetry (no plaintext personal data) | EU (Frankfurt) | PostHog DPA | 2026-05-04 |
Operational platform data (database, file storage, audit logs) remains in Switzerland (region europe-west6, Zurich). AI processing takes place in the EU (region europe-west1, Belgium); the specific AI sub-processor is listed in the table above. Email delivery runs through AWS SES in the EU (eu-central-1, Frankfurt). Cloudflare Turnstile operates as a global edge service but only returns an anonymous bot-protection token and does not process platform data. For any third-country transfers, the Standard Contractual Clauses (SCC) of the European Commission apply.
A data processing agreement is in place with each sub-processor listed above. The DPAs are stored in the internal compliance archive and made available to customers for review on request, to the extent required by contract or by law.
The provider informs customers of planned changes or additions to the sub-processor list. Pursuant to section 15 of the Terms, objections must be submitted in writing to security@sothura.com within 30 days. In the case of legitimate data-protection or security-related objections, the customer has a special right of termination if no equivalent alternative can be offered.