Effective from the 18th of June 2026

Sub-processor Location of entity / data centers Purpose of Processing Categories of data Transfer safeguard (if outside EU/EEA)
Salesforce / Heroku EU (e.g. Ireland) Hosting of application and databases for the Culturequest platform All Customer Personal Data stored in the platform SCCs and other safeguards between Culturequest and Salesforce
Amazon Web Services (AWS) (used by Heroku) EU (Stockholm, eu-north-1) Underlying infrastructure for hosting and storage (Storage of uploaded files, attachments and imports) All Customer Personal Data stored in the platform. Files and documents uploaded by Customer or its users SCCs and provider certifications (e.g. ISO, SOC)
Twilio SendGrid Primarily USA Email delivery of survey invitations, reminders and platform notifications Names (if used in mail content), email addresses, email metadata SCCs and, where applicable, participation in recognized transfer frameworks
Okta / Auth0 EU and/or USA (depending on tenant and configuration) Authentication, single sign-on and user identity management User identifiers, email addresses, authentication data, login metadata SCCs, regional hosting and security certifications
Anthropic USA AI-based analysis of free-text survey responses (e.g. summarization, categorization, sentiment) Free-text comments and associated context (only as sent in API calls) SCCs; API terms ensuring data not used to train public models
Linear USA Internal issue and task management for development and support Limited Personal Data contained in diagnostic descriptions or support tasks (if Customer or Culturequest includes it) SCCs; restricted use and access controls
One.com EU DNS and domain services No direct Processing of Customer Personal Data; only technical data related to domains and traffic N/A (no Customer Personal Data)
GitHub USA / EU (depending on hosting) Source code repository and CI for the platform Normally no Customer Personal Data; may incidentally include data in logs or test data if uploaded SCCs; internal policies to avoid storing Customer Personal Data
Stripe USA / EU (depending on hosting) Payment and subscription billing Billing contact and account/transaction metadata SCCs; PCI-DSS
Open AI USA AI-based analysis of free-text survey responses and conversational/chat features, and as a failover AI provider Free-text comments, chat messages and associated context (only as sent in API calls) SCCs; API terms ensuring data not used to train public models
Customer.io EU Email delivery and messaging of survey invitations, reminders and platform notifications Names (if used in mail content), email addresses, email metadata SCCs and, where applicable, EU data-region hosting
Pusher (Bird) EU Real-time, in-app delivery of job-completion and status events to signed-in users User identifiers and event/job metadata only (no survey content, comments, names or emails) SCCs / UK IDTA where applicable
New Relic EU Application performance monitoring and error tracking for the backend Technical and diagnostic data (e.g. IP address, request/transaction metadata); may incidentally include identifiers in traces SCCs