Effective from the 1st of January 2026

Subprocessor Location of entity / data centers Purpose of Processing Categories of data Transfer safeguard (if outside EU/EEA)
Salesforce / Heroku EU (e.g. Ireland) Hosting of application and databases for the Culturequest platform All Customer Personal Data stored in the platform SCCs and other safeguards between Culturequest and Salesforce
Amazon Web Services (AWS) (used by Heroku) EU (e.g. Ireland) Underlying infrastructure for hosting and storage All Customer Personal Data stored in the platform SCCs and provider certifications (e.g. ISO, SOC)
Twilio SendGrid Primarily USA Email delivery of survey invitations, reminders and platform notifications Names (if used in mail content), email addresses, email metadata SCCs and, where applicable, participation in recognized transfer frameworks
Okta / Auth0 EU and/or USA (depending on tenant and configuration) Authentication, single sign-on and user identity management User identifiers, email addresses, authentication data, login metadata SCCs, regional hosting and security certifications
OpenAI USA AI-based analysis of free-text survey responses (e.g. summarization, categorization, sentiment) Free-text comments and associated context (only as sent in API calls) SCCs; API terms ensuring data not used to train public models
Linear USA Internal issue and task management for development and support Limited Personal Data contained in diagnostic descriptions or support tasks (if Customer or Culturequest includes it) SCCs; restricted use and access controls
One.com EU DNS and domain services No direct Processing of Customer Personal Data; only technical data related to domains and traffic N/A (no Customer Personal Data)
GitHub USA / EU (depending on hosting) Source code repository and CI for the platform Normally no Customer Personal Data; may incidentally include data in logs or test data if uploaded SCCs; internal policies to avoid storing Customer Personal Data