LegalLT
Sub-processors
Last updated: May 1, 2026
This list is published under GDPR Art. 28(2) and our Data Processing Agreement. All vendors below are bound under GDPR Art. 28 and only process data on our instructions.
New sub-processors are introduced only after at least 30 days’ prior notice by email. Customers have the right to object and terminate without penalty.
Active sub-processors
Vercel
- Purpose
- Hosting, static assets, edge network
- Location
- EU (Frankfurt)
- Transfer mechanism
- Within EU
- Updated
- 2026-05-01
Supabase
- Purpose
- Database and authentication
- Location
- EU (eu-central-1, Frankfurt)
- Transfer mechanism
- Within EU
- Updated
- 2026-05-01
Stripe Payments Europe Ltd.
- Purpose
- Payment processing and subscriptions
- Location
- EEA (Ireland)
- Transfer mechanism
- Within EEA + SCCs
- Updated
- 2026-05-01
OpenAI
- Purpose
- Vision model for CMR field extraction
- Location
- United States
- Transfer mechanism
- SCCs (Module 2) + Enterprise DPA · no model training on your data
- Updated
- 2026-05-01
Resend
- Purpose
- Transactional email (invoices, notifications)
- Location
- EU
- Transfer mechanism
- Within EU
- Updated
- 2026-05-01
Cal.com
- Purpose
- Booking
- Location
- EU
- Transfer mechanism
- Within EU
- Updated
- 2026-05-01
Cloudflare
- Purpose
- DNS, CDN, email routing
- Location
- Anycast (global)
- Transfer mechanism
- SCCs + supplementary technical measures
- Updated
- 2026-05-01
Questions
Sub-processor questions or objections — dpo@ecmrcapture.com.