Subprocessor List

Third-party services that process your data (GDPR Article 28)

Back to Dashboard

This page lists the third-party subprocessors we use to provide the BaciScout service. Each subprocessor has been evaluated for security, privacy, and GDPR compliance.

Stripe
Purpose

Payment processing, subscription management, invoicing

Data Processed
  • Payment details (card number, expiry - PCI-DSS compliant)
  • Billing address
  • Invoice history
Location

United States / EU (Stripe has EU infrastructure)

Security Certifications
PCI-DSS Level 1 SOC 2 ISO 27001
GDPR Compliance

Stripe is GDPR compliant and provides EU Data Processing Addendum (DPA). Data is encrypted at rest and in transit. BaciScout only sees last 4 digits of card numbers.

OpenAI / Anthropic
Purpose

AI-powered tender analysis, bid recommendations

Data Processed
  • Tender descriptions and requirements
  • Company profile data (CPV codes, keywords)
  • No personal user data sent to APIs
Location

United States

Security Measures
SOC 2 ISO 27001
GDPR Compliance

Both providers offer GDPR-compliant data processing. API keys are encrypted at rest using Fernet. Data is retained for 30 days (OpenAI) or not stored (Anthropic Claude). No personal data is sent.

Hetzner Online
Purpose

Cloud infrastructure hosting, database storage

Data Processed
  • All application data
  • User accounts and profiles
  • Tender matches and activity logs
Location

Germany (EU) - Data centers in Frankfurt/Nuremberg

Security Certifications
ISO 27001 GDPR Compliant
GDPR Compliance

Hetzner is a German company operating under EU data protection laws. Data stored with Hetzner never leaves the EU. They provide GDPR-compliant hosting and data processing infrastructure.

SMTP Provider
Purpose

Email delivery, transactional emails

Data Processed
  • Email addresses
  • Notification content
  • Tender alert digests
Location

Configured by customer (self-hosted or third-party)

Security
TLS/SSL Encrypted
GDPR Compliance

Email delivery is configured per customer deployment. Customers can use EU-based SMTP providers or self-hosted email servers to ensure data remains within the EU.

Subprocessor Changes

We may add or update subprocessors to improve our service. Material changes will be notified via email at least 30 days in advance. You may object to new subprocessors by canceling your subscription.

Data Processing Agreement (DPA)

All subprocessors have signed Data Processing Agreements with BaciScout or their parent companies, ensuring GDPR-compliant data processing practices. We regularly audit subprocessor compliance.

Data Transfers: Some subprocessors (OpenAI, Anthropic, Stripe) are located outside the EU. We use EU Standard Contractual Clauses (SCCs) and other legal mechanisms to ensure adequate data protection as required by GDPR Chapter V.