DRAFT — for demo and vendor-risk-review purposes only. This document has not yet been reviewed by counsel. Final wording will be substituted before pilot launch. Do not rely on this draft for any binding commercial decision.
Subprocessor List
Effective from [[FILL: effective date — set to notice-send-date + 30 calendar days minimum]] — Version 2 Last reviewed: 15 May 2026
Summary of changes vs. Version 1: Added PostHog Inc. as a subprocessor for product analytics and frontend/backend error monitoring. Scope is limited to the Phase 1 PostHog activation defined in PLAN_POSTHOG_INTEGRATION.md (analytics + exceptions). PostHog's Customer Support Inbox is not activated by this version and remains a deferred Phase 2 change that will be introduced via a separate subprocessor version and a fresh 30-day notice.
This list identifies the third parties that Fintum Market Intelligence GmbH ("we") engages to process personal data on behalf of our customers in the course of providing the Market Intelligence platform. It is the authoritative reference for Article 28 (2) and (4) GDPR / Section 11 of our Data Processing Agreement.
Scope
For the purposes of this list, "personal data" means Authorized User data that we process for our customers — the names, email addresses, login activity, IP addresses, support correspondence, and similar metadata of the customer's employees who access the platform. Where a third party processes only data we control under our own Privacy Policy (visitor analytics, billing-side data, etc.), it is not within the scope of this Subprocessor list and is governed by that Policy instead.
The el-fondo consumer application has its own subprocessor disclosures published with that product. Subprocessors involved exclusively in el-fondo (for example consumer-side analytics) are not within the scope of this list.
Current subprocessors
| Subprocessor | Role | Processing location | Categories of personal data | Transfer mechanism |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting, database (PostgreSQL/TimescaleDB), file storage, key management | `eu-central-1` (Frankfurt, Germany) | All Authorized User profile, authentication, session, and audit data; encrypted at rest using AWS KMS-managed keys | EU – EU; no third-country transfer mechanism required. We have signed AWS's Data Processing Addendum which incorporates the EU SCCs as a fallback for any incidental US support access. |
| Resend, Inc. | Transactional email (invitations, agreement acceptance confirmations, security alerts, MFA codes, password resets) | EU (Ireland) | Recipient email address and full name; the body of the message including any platform identifiers it references | EU – EU; no third-country transfer mechanism required. We have signed Resend's Data Processing Agreement. |
| PostHog Inc. | Product analytics and error monitoring for the Market Intelligence platform (Phase 1 scope; Customer Support Inbox is deferred to a future version of this list) | EU cloud — Frankfurt or Dublin region (operator confirms exact data-centre region with PostHog at project provisioning time) | Authorized User identifier (UUID), event metadata describing platform interactions (screen, feature, period selection, etc.), redacted IP addresses, redacted error messages and stack-trace fingerprints from unhandled frontend and backend exceptions. Free-text payloads, request bodies, query strings and full stack traces are stripped before send. | EU – EU; signed PostHog DPA (see https://posthog.com/dpa) incorporates the EU SCCs as a fallback for any incidental US support access. |
How we choose and oversee subprocessors
Before we engage any subprocessor we conduct a documented due-diligence review covering:
- The subprocessor's organisational and technical security controls, evidenced by a current SOC 2 Type II report, ISO 27001 certificate, or equivalent independent attestation.
- Their data-processing locations, sub-subprocessor relationships, and applicable transfer mechanisms.
- The data-protection terms in the contract we sign with them, which must meet the Article 28 GDPR requirements at a minimum.
- The legal jurisdiction in which the subprocessor is established, including any cross-border-data-transfer implications under Schrems II and the GDPR's Chapter V.
We re-review each subprocessor at least annually and on any material change to their service.
Notification of changes (Art. 28 (2) GDPR)
We notify the primary administrator of every active customer of any addition or replacement of a subprocessor at least 30 calendar days in advance of the change taking effect. The notice is delivered through:
- An update to this list at its permanent URL with an incremented version (the prior version is preserved at `/legal/subprocessors/v1`; the version you are reading is the current one).
- An email to the customer's primary admin contact summarising the change, the reason, the new subprocessor's data-processing locations, and the transfer mechanism if any.
- An in-platform banner visible to every Company Admin of an affected customer.
Customers may object to a proposed subprocessor change on legitimate data-protection grounds. To object, write to privacy (at) fintum-mi.com within the 30-day notice period describing the basis of the objection. We will engage in good-faith discussion and, if no resolution is reached, the customer is entitled to terminate the affected service without penalty under the Master Subscription Agreement.
If no objection is received during the notice period, the customer is treated as having accepted the change as of the effective date.
Not currently in use
The following providers are not currently engaged as subprocessors for the Market Intelligence platform. If we add any of them in the future the addition will follow the change-notification procedure above.
- Cloudflare (CDN, DDoS protection)
- Google Cloud Platform
- Stripe (billing) — billing is handled offline during the pilot phase
- Sentry (error tracking) — superseded by PostHog Exceptions; see "A note on PostHog" below
- PostHog as a Customer Support Inbox tool — see "A note on PostHog" below
- Any third-party advertising-network provider — never expected to be added; if it ever changed it would be a substantive change to our business model
A note on PostHog
PostHog Inc. is engaged for two distinct activities, which we treat as separate disclosure events:
- Product analytics and error monitoring (this version, Version 2). PostHog processes Authorized User identifiers, event metadata describing how users navigate the platform, redacted IP addresses, and redacted error / exception payloads. This activity is what the row above governs.
- Customer Support Inbox (not yet active; planned Phase 2 — see PLAN_POSTHOG_INTEGRATION.md and PLAN_POSTHOG_04_CUSTOMER_SUPPORT.md). When activated, this will introduce processing of additional categories (the contents of support tickets and replies). Activation will be staged behind a fresh version of this list, communicated through the 30-day notification flow above, and gated on the new notice period elapsing without unresolved objection.
PostHog also serves as the panel-tracking provider for the el-fondo consumer application; data processed in that capacity is governed by el-fondo's own privacy disclosures and is not in scope here.
Customer support tooling
The Master Subscription Agreement gives us latitude to engage third-party tools to triage and respond to customer inquiries. The list of tools we currently use for that purpose is reflected in this Subprocessor list — there is no separate, hidden tool that processes Authorized User data outside what is named here. If a customer asks for confirmation in writing of the exact set of tools we use, we provide it through privacy (at) fintum-mi.com.
Contact
Questions about this list, requests for evidence of due-diligence reviews, or copies of the Data Processing Agreements we hold with the subprocessors named above can be directed to privacy (at) fintum-mi.com.