Sub-Processors
Complete list of third-party sub-processors authorized to process data on behalf of DanubeData customers, including their roles, locations, and data transfer safeguards.
1. Introduction
DanubeData is committed to transparency regarding the third-party service providers ("sub-processors") that process data on behalf of our customers. As a cloud infrastructure provider operating under the General Data Protection Regulation (GDPR) and aligned with the CISPE Code of Conduct for Cloud Infrastructure Service Providers, we maintain this publicly available list of all sub-processors engaged in the delivery of our services.
This page supplements the Data Processing Agreement (DPA) between DanubeData and its customers. By using DanubeData services, you acknowledge the use of the sub-processors listed below under the terms of the DPA.
2. Current Sub-Processor List
The following sub-processors are currently authorized to process data in connection with the delivery of DanubeData services:
| Sub-Processor | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH | Data center infrastructure, dedicated servers, networking | Customer workloads, metadata, network traffic | Falkenstein & Nuremberg, Germany (EU) | No transfer (intra-EEA) |
| Stripe, Inc. | Payment processing, fraud detection, invoicing | Customer name, email, payment information (via Stripe.js — PCI DSS Level 1 compliant) | United States (EU entity available) | EU Standard Contractual Clauses (SCCs) |
| MailerSend (Mailerlite, UAB) | Transactional email delivery | Email addresses, notification content | Lithuania (EU) | No transfer (intra-EEA) |
| Google LLC (Authentication) | OAuth social sign-in (opt-in by customer) | Email address, name, profile picture | United States | EU Standard Contractual Clauses (SCCs) |
| GitHub, Inc. (Microsoft) | OAuth social sign-in (opt-in by customer) | Email address, username | United States | EU Standard Contractual Clauses (SCCs) |
| Google LLC (Analytics) | Website usage analytics (consent-based) | Anonymized IP, page views, cookies | United States | EU Standard Contractual Clauses (SCCs) |
| Bugsnag (SmartBear Software Inc.) | Application error monitoring | Error metadata, request context (no customer personal data) | United States | EU Standard Contractual Clauses (SCCs) |
3. Sub-Processor Change Notification
DanubeData will notify customers of any intended changes to the list of sub-processors, including additions or replacements, at least 30 days before the new sub-processor begins processing data. Notifications are sent by email to the account owner registered on the team.
Customers may manage their notification preferences through the DanubeData dashboard settings. We recommend keeping sub-processor change notifications enabled to stay informed of any updates.
4. Customer Objection Right
If you object to a new sub-processor, you may submit a written objection to dpo@danubedata.ro within 30 days of receiving the change notification. Your objection must include the specific grounds for your concern.
Upon receiving a valid objection, DanubeData will make commercially reasonable efforts to:
- Provide an alternative solution that avoids the use of the objected-to sub-processor
- Modify the service configuration to exclude the sub-processor for your workloads
- Suggest reasonable alternatives that address your data protection concerns
If no commercially reasonable alternative is available, you may terminate the affected services without penalty within 30 days of DanubeData's notification that no alternative can be provided.
5. Sub-Processor Contractual Requirements
All sub-processors engaged by DanubeData are bound by the following obligations:
- A written data processing agreement with terms at least as restrictive as those in DanubeData's Data Processing Agreement (DPA)
- Full compliance with the GDPR and applicable data protection laws
- Implementation of appropriate technical and organizational security measures
- Obligations of confidentiality for all personnel processing personal data
- Cooperation with data subject rights requests and supervisory authority inquiries
DanubeData remains fully liable to its customers for the performance of its sub-processors' obligations under the DPA. We conduct periodic assessments of our sub-processors to verify ongoing compliance.
6. Data Transfer Safeguards
6.1 EU/EEA Sub-Processors
Sub-processors located within the European Union or European Economic Area do not require cross-border data transfer mechanisms. Data processed by Hetzner Online GmbH and MailerSend (Lithuania) remains entirely within the EU.
6.2 Non-EU Sub-Processors
For sub-processors located outside the EU/EEA, DanubeData ensures lawful data transfers through the following safeguards:
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), executed with each non-EU sub-processor
- Supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest where applicable, and strict access controls
- Transfer impact assessments performed for each non-EU sub-processor to evaluate the legal framework of the recipient country and the effectiveness of safeguards
- Data minimization ensuring only the minimum necessary data is transferred to non-EU sub-processors
7. Change History
The following table documents all changes to the sub-processor list:
| Date | Change Type | Sub-Processor | Details |
|---|---|---|---|
| March 28, 2026 | Initial Publication | All | Initial sub-processor list published |
8. Contact
For questions about this sub-processor list, data transfer safeguards, or to exercise your objection right, please contact our Data Protection Officer:
Email: dpo@danubedata.ro
Questions about this policy?
If you have any questions or concerns, please contact our legal team.
Contact Us