justsayin — Sub-processors
Annex C to the Data Processing Agreement. Last updated: 6 July 2026.
This page lists the sub-processors engaged by Unendlich UG (haftungsbeschränkt) (“justsayin”) to process Customer Personal Data in connection with the justsayin Services. It is incorporated by reference into our Data Processing Agreement and supports our customers’ transparency obligations under Articles 13(1)(f) and 14(1)(f) GDPR and Annex III of the EU Standard Contractual Clauses.
Change notification
We will notify each customer’s designated workspace owner, and update this page, at least 14 calendar days before a sub-processor is added or replaced. A customer may object on reasonable data-protection grounds within 14 calendar days of that notification, as set out in Section 9 of the DPA. Where an urgent change is required to maintain the availability, security, or integrity of the Services, we may make it effective immediately and notify as soon as reasonably practicable, with the objection period running from that notification.
Current sub-processors
| Sub-processor | Purpose | Establishment | Processing location | Transfer safeguard | Retention at the sub-processor |
|---|---|---|---|---|---|
| OpenAI Ireland Limited | Transcription and automated analysis of feedback | Ireland (EEA) | Ireland; onward to OpenAI’s US affiliates for compute | EU Standard Contractual Clauses (within OpenAI’s corporate structure). | Data submitted through the API is not used to train OpenAI’s models; abuse-monitoring logs are retained for up to 30 days, then removed. |
| Ubicloud B.V. | Managed PostgreSQL database | Netherlands (EEA) | Germany | Processing within the EEA; any onward transfer to US affiliates is made under EU Standard Contractual Clauses. | Backups retained for a maximum of 10 days on a rolling basis; deletion within 180 days of the end of the contract. |
| Hetzner Online GmbH | Application server hosting | Germany (EEA) | Germany | None required — processing within the EEA. | Infrastructure host; deletion at justsayin’s request after the contract ends. |
| Cloudflare, Inc. | Object storage for audio recordings and screenshots | United States (storage configured to the EU region) | EU region | EU–US Data Privacy Framework and EU Standard Contractual Clauses. | Stored until justsayin deletes it or the contract ends (return-or-delete on termination). |
| Brevo (Sendinblue SAS) | Delivery of transactional and notification emails | France (EEA) | France | Processing within the EEA; any onward transfer is made under EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. | Customer data destroyed within 3 months of contract termination. |
| Axiom, Inc. | Technical and security logging | United States (log storage in the EU region) | EU region | EU Standard Contractual Clauses. | Deleted within 60 days of contract termination. |
The categories of Customer Personal Data processed are those described in Annex A of the DPA. In-life retention and deletion follow Section 7 of the DPA; the last column shows each sub-processor’s own published or contractual retention posture, referenced by Sections 7.3 and 11.4 of the DPA.
Contact
Questions about this list can be sent to privacy@justsayin.io.