CerynixGovernance · Evidence · Resilience
Platform Pricing Security Sign in

Legal

Sub-processors

Version 0.1 (draft) · Annex III to the DPA · Last verified [DATE].

⚠️ Draft — verify before publishing. This is Annex III to the DPA. It lists third parties that may process Customer personal data in the managed (SaaS) model. Self-hosted deployments normally involve no Cerynix sub-processors for Customer Content. Each entry must be confirmed and the provider's DPA signed before it is relied upon.

Current sub-processors

Sub-processor Role / service Data processed Location / region Transfer basis Provider DPA / list
Hetzner Online GmbH
Industriestraße 25, 91710 Gunzenhausen, Germany
Infrastructure / IaaS hosting (compute, storage, backups) — the Cerynix production stack All Customer Content and account data hosted in the managed Service EU — Germany (data residency in EEA by default) Intra-EEA (no Art. 46 transfer needed for EU region) DPA (Art. 28) concluded in the Hetzner account; provider DPA at hetzner.com/AV/DPA_en.pdf; sub-processor list at hetzner.com/AV/subunternehmer.pdf
Cloudflare, Inc.
US; EU entity Cloudflare Germany GmbH
CDN / edge, WAF, TLS termination, DNS for cerynix.com / app.cerynix.com Traffic metadata and any personal data in requests passing through the edge (IP addresses, request data); no persistent storage of Customer Content by design Global edge network (incl. non-EEA) EU Standard Contractual Clauses and/or EU–US Data Privacy Framework, per Cloudflare's DPA Cloudflare Customer DPA at cloudflare.com/cloudflare-customer-dpa; sub-processor list at cloudflare.com/gdpr/subprocessors
[Transactional email provider] — planned Sending account / system emails (verification, notifications) — to be confirmed once transactional email is wired in production (landing lead-capture is currently email-only) Recipient email address, email content [region] [SCC if non-EEA] [provider DPA link]

Notes

  • Data residency: primary storage is in the EU (Hetzner / Germany). Cloudflare operates a global edge; personal data may transit non-EEA edge nodes, covered by SCC / DPF.
  • Change process: additions / replacements are notified per the DPA (§4) with [30] days' notice and a right to object on data-protection grounds.
  • Self-hosted: Customer-operated deployments do not use these sub-processors for Customer Content unless the Customer chooses equivalent providers itself.
  • Website: the marketing site is fully static (no analytics, no tracking cookies, script-src 'none') and lead capture is an email link, so there is currently no analytics or email sub-processor for the website itself.
© 2026 Andrejs Sevcenko. All rights reserved. HomePricingPrivacyTermsDPASubprocessorsContact

Cerynix supports your NIS2, ISO/IEC 27001 and GDPR readiness. It is not legal advice and does not guarantee compliance or certification. This page is a draft pending review by qualified counsel.