Effective from the 18th of June 2026
| Sub-processor | Location of entity / data centers | Purpose of Processing | Categories of data | Transfer safeguard (if outside EU/EEA) |
|---|---|---|---|---|
| Salesforce / Heroku | EU (e.g. Ireland) | Hosting of application and databases for the Culturequest platform | All Customer Personal Data stored in the platform | SCCs and other safeguards between Culturequest and Salesforce |
| Amazon Web Services (AWS) (used by Heroku) | EU (Stockholm, eu-north-1) | Underlying infrastructure for hosting and storage (Storage of uploaded files, attachments and imports) | All Customer Personal Data stored in the platform. Files and documents uploaded by Customer or its users | SCCs and provider certifications (e.g. ISO, SOC) |
| Twilio SendGrid | Primarily USA | Email delivery of survey invitations, reminders and platform notifications | Names (if used in mail content), email addresses, email metadata | SCCs and, where applicable, participation in recognized transfer frameworks |
| Okta / Auth0 | EU and/or USA (depending on tenant and configuration) | Authentication, single sign-on and user identity management | User identifiers, email addresses, authentication data, login metadata | SCCs, regional hosting and security certifications |
| Anthropic | USA | AI-based analysis of free-text survey responses (e.g. summarization, categorization, sentiment) | Free-text comments and associated context (only as sent in API calls) | SCCs; API terms ensuring data not used to train public models |
| Linear | USA | Internal issue and task management for development and support | Limited Personal Data contained in diagnostic descriptions or support tasks (if Customer or Culturequest includes it) | SCCs; restricted use and access controls |
| One.com | EU | DNS and domain services | No direct Processing of Customer Personal Data; only technical data related to domains and traffic | N/A (no Customer Personal Data) |
| GitHub | USA / EU (depending on hosting) | Source code repository and CI for the platform | Normally no Customer Personal Data; may incidentally include data in logs or test data if uploaded | SCCs; internal policies to avoid storing Customer Personal Data |
| Stripe | USA / EU (depending on hosting) | Payment and subscription billing | Billing contact and account/transaction metadata | SCCs; PCI-DSS |
| Open AI | USA | AI-based analysis of free-text survey responses and conversational/chat features, and as a failover AI provider | Free-text comments, chat messages and associated context (only as sent in API calls) | SCCs; API terms ensuring data not used to train public models |
| Customer.io | EU | Email delivery and messaging of survey invitations, reminders and platform notifications | Names (if used in mail content), email addresses, email metadata | SCCs and, where applicable, EU data-region hosting |
| Pusher (Bird) | EU | Real-time, in-app delivery of job-completion and status events to signed-in users | User identifiers and event/job metadata only (no survey content, comments, names or emails) | SCCs / UK IDTA where applicable |
| New Relic | EU | Application performance monitoring and error tracking for the backend | Technical and diagnostic data (e.g. IP address, request/transaction metadata); may incidentally include identifiers in traces | SCCs |