List of Subprocessors
Last updated: Nov 12, 2025
Recommand uses carefully selected third-party subprocessors to support the delivery of its Peppol API, application platform, and related services. Each subprocessor has been reviewed for GDPR compliance, security posture, and contractual safeguards.
This list is provided in accordance with the Recommand Data Processing Agreement (DPA). Customers (as Controllers) will be informed of material changes to this list as described in the DPA.
Current Subprocessors
| Category | Subprocessor | Location | Purpose | Safeguards |
|---|---|---|---|---|
| Hosting & Infrastructure | Amazon Web Services (AWS) | EU | Compute, storage, infrastructure, networking | EU data centers; SCCs not required |
| Hosting & Infrastructure | Google Cloud Platform | EU | Container hosting, networking | EU data centers |
| Hosting & Infrastructure | Digital Ocean | EU | Container hosting, storage, networking | EU data centers |
| Hosting & Infrastructure | Hetzner | EU | Container hosting, networking | EU data centers |
| Backup & Storage | Backblaze B2 | EU | Encrypted backups | EU storage; encrypted |
| DNS / CDN / Security | Cloudflare | EU/Global | DNS, DDoS protection, TLS termination | GDPR-compliant; data minimization |
| Developer platform | GitHub (GitHub, Inc.) | USA/EU | Source code hosting, CI/CD, issue tracking | SCCs in place; data minimization |
| Payments | Mollie BV | EU | Subscription payments | EU; PSD2 regulated |
| Transactional email | Postmark (ActiveCampaign LLC) | USA | System & transactional email delivery | SCCs in place |
| Analytics | PostHog | EU | Product analytics | EU hosting |
| Analytics | Plausible | EU | Web analytics | No cookies; EU hosting |
| Analytics | Google Analytics 4 | EU/Global | Web analytics (only after user consent) | SCCs; IP anonymization |
| Advertising | Google Ads | EU/Global | Conversion tracking & remarketing (only after consent) | SCCs |
| Advertising | LinkedIn Insight Tag | EU/Global | Advertising attribution (only after consent) | SCCs |
| Lead attribution | Leadinfo | EU | Identifying company visitors on website | EU hosting |
| Error tracking | Sentry (Functional Software, Inc.) | EU | Application error monitoring | EU hosting |
| Internal collaboration | Slack (Salesforce, Inc.) | USA/EU | Internal communication, may include customer references | SCCs in place; strict access controls |
Advertising and marketing tools are activated only after explicit cookie consent, as described in our Cookie Policy.
International Transfers
Some subprocessors may process limited data outside the European Economic Area (EEA). When this occurs, Recommand ensures appropriate safeguards under Chapter V of the GDPR, including:
- EU Standard Contractual Clauses (SCCs)
- Data minimization
- Encryption and secure transport
- Access restricted to need-to-know basis