List of Subprocessors

Last updated: 08.07.2026

Recommand uses carefully selected third-party subprocessors to support the delivery of its Peppol API, application platform, and related services. Each subprocessor has been reviewed for GDPR compliance, security posture, and contractual safeguards.

This list is provided in accordance with the Recommand Data Processing Agreement (DPA). Customers (as Controllers) will be informed of material changes to this list as described in the DPA.

Current Subprocessors

Category Subprocessor Location Purpose Safeguards
Hosting & Infrastructure Amazon Web Services (AWS) EU Compute, storage, infrastructure, networking EU data centers; SCCs not required
Hosting & Infrastructure Google Cloud Platform EU Container hosting, networking EU data centers
Hosting & Infrastructure Digital Ocean EU Container hosting, storage, networking EU data centers
Hosting & Infrastructure Hetzner EU Container hosting, networking EU data centers
Backup & Storage Backblaze B2 EU Encrypted backups EU storage; encrypted
DNS / CDN / Security Cloudflare EU/Global DNS, DDoS protection, TLS termination GDPR-compliant; data minimization
Developer platform GitHub (GitHub, Inc.) USA/EU Source code hosting, CI/CD, issue tracking SCCs in place; data minimization
Payments Mollie BV EU Subscription payments EU; PSD2 regulated
Transactional email Postmark (ActiveCampaign LLC) USA System & transactional email delivery SCCs in place
Analytics PostHog EU Product analytics EU hosting
Analytics Plausible EU Web analytics No cookies; EU hosting
Analytics Google Analytics 4 EU/Global Web analytics (only after user consent) SCCs; IP anonymization
Advertising Google Ads EU/Global Conversion tracking & remarketing (only after consent) SCCs
Advertising LinkedIn Insight Tag EU/Global Advertising attribution (only after consent) SCCs
Lead attribution Apollo.io, Inc. USA Identifying company visitors on website SCCs in place; data minimization
Error tracking Sentry (Functional Software, Inc.) EU Application error monitoring EU hosting
Internal collaboration Slack (Salesforce, Inc.) USA/EU Internal communication, may include customer references SCCs in place; strict access controls
Identity verification Didit EU KYC identity verification, liveness & document checks GDPR-compliant; data minimization

Advertising and marketing tools are activated only after explicit cookie consent, as described in our Cookie Policy.

International Transfers

Some subprocessors may process limited data outside the European Economic Area (EEA). When this occurs, Recommand ensures appropriate safeguards under Chapter V of the GDPR, including:

  • EU Standard Contractual Clauses (SCCs)
  • Data minimization
  • Encryption and secure transport
  • Access restricted to need-to-know basis

Version history

Download PDF
  • Effective 08.07.2026PDF
  • Effective 07.02.2026PDF