List of Sub-processors
Third parties that process personal data on behalf of TraceWeave in accordance with the GDPR
Last updated: May 2026 · Version 2.0
1. Introduction
TraceWeave uses third-party service providers (hereinafter, "Sub-processors") to host, process and manage the personal data of our customers. This list is kept up to date in accordance with the provisions of our Data Processing Agreement (DPA).
All Sub-processors comply with:
- •General Data Protection Regulation (GDPR - Regulation EU 2016/679)
- •Standard Contractual Clauses (SCCs) approved by the European Commission when they operate outside the EEA
- •Appropriate technical and organisational security measures (Article 32 GDPR)
- •Recognised certifications (ISO 27001, SOC 2, etc.)
2. Categories of Sub-processors
TraceWeave works with a set of sub-processors grouped by functional category. The specific identity of each sub-processor, its registered office and the operational details of the processing are documented internally in the Record of Processing Activities (Art. 30 GDPR) and are made available to data controllers who have entered into a DPA, upon reasoned request by email to hola@traceweave.eu with the subject [Sub-processors] Request for detailed listing.
| Category | Purpose | Location | Safeguards |
|---|---|---|---|
| Hosting and CDN | Hosting of the web platform and distribution of static content. | Multi-region (EU + USA) | SCCs, DPF, provider certifications (SOC 2) |
| Managed database and authentication | Persistence of platform data and management of user identities. | EU (Frankfurt) | EU hosting, provider certifications (ISO 27001 / SOC 2) |
| Object storage | Storage of images, documents and files uploaded by users. | EU (Frankfurt) | Encryption at rest, EU hosting, provider certifications (ISO 27001 / SOC 2) |
| Transactional email | Sending of operational service emails (subscription confirmation, credential reset, notifications). | USA | SCCs, DPF, TLS encryption |
| Payment gateway | Payment processing and billing management, where applicable to the contracted plan. | Multi-region (EU + USA) | PCI DSS, SCCs, DPF |
| Error monitoring | Capture and analysis of application errors to maintain service stability, with prior scrubbing of personal data. | EU (Frankfurt) | EU hosting, provider certifications (ISO 27001 / SOC 2) |
| Aggregated usage analytics | Web performance and aggregated traffic metrics, without individual profiling. | EU (with possible occasional processing outside the EEA under SCCs/DPF) | SCCs, DPF, anonymisation |
Safeguards legend
3. Change Notification Mechanism
3.1 Prior Notification
TraceWeave will notify all customers at least 30 days in advance before:
- •Adding a new sub-processor to the list
- •Replacing an existing sub-processor with another
- •Modifying the geographic location of data processing by a sub-processor
3.2 Notification Channels
Notifications will be sent through:
Email to the account administrator
Automated email to the email of the customer account's main administrator.
Update to this page
This list will be updated with the "Upcoming change" banner visible at the top.
3.3 Right to Object
In accordance with the DPA (Section 5.1), the customer may object to a change of sub-processor on justified grounds relating to data protection within 15 days following the notification.
Objection procedure: Send an email to hola@traceweave.eu indicating the sub-processor to which you object and the justified reasons. TraceWeave will assess the objection and, if it is not possible to refrain from engaging the sub-processor, the customer may suspend or terminate the contract without penalty.
3.4 Minor Changes (Without Prior Notification)
Purely administrative changes that do not affect data processing do not require prior notification, such as updating the sub-processor's URL, a change of company name without a change of legal entity, or an improvement to existing security certifications. These changes will be reflected directly in this list.
4. Standard Contractual Clauses (SCCs)
TraceWeave has entered into Standard Contractual Clauses (SCCs) in accordance with the European Commission's Implementing Decision (EU) 2021/914 with all sub-processors that process personal data outside the European Economic Area (EEA).
Applicable module
For international transfers to sub-processors, TraceWeave uses Module Three (Processor-to-Processor) of the SCCs.
Between TraceWeave and its customers, Module Two (Controller-to-Processor) applies, in accordance with the DPA.
Transfer Impact Assessment (TIA)
TraceWeave has carried out a Transfer Impact Assessment (TIA) for each sub-processor located outside the EEA, in accordance with the recommendation of the EDPB (European Data Protection Board).
The TIAs conclude that the safeguards applied (SCCs + supplementary technical measures such as encryption, access controls and anonymisation) are sufficient to ensure a level of protection essentially equivalent to that of the GDPR.
Request a copy of the SCCs
Enterprise plan customers may request a copy of the SCCs entered into with specific sub-processors for audit or compliance purposes.
Request SCCs5. Contact
For inquiries about this list of sub-processors, change notifications or the exercise of the right to object, please contact:
Data protection contact
TraceWeave SL
Postal Address
TraceWeave SL — Attn: Privacy, Sevilla, Spain
Do you have questions about our sub-processors?
Our data protection team is available to answer any inquiry related to data processing.
Contact the privacy team