Sub-Processor List (Template)
ReflectHub OÜ — English
ReflectHub OÜ — Legal Documentation
Sub-Processor List (Template)
ReflectHub OÜ
| Document Purpose | Public-facing template / internal register format for ReflectHub sub-processors |
|---|---|
| Last Updated | 2026-06-18 |
| Notification Method | trust center update |
| Objection Window | 30 days from notice, where applicable under DPA |
This Sub-Processor List identifies third-party service providers that may process Customer Personal Data on behalf of ReflectHub OÜ in connection with providing the ReflectHub Services.
This template should be published as a living document and kept in sync with the DPA and security documentation.
How to Use This List
- List all sub-processors that may process Customer Personal Data for production services and key support operations.
- For each sub-processor, identify the service provided, data categories involved, processing location/regions, and the applicable transfer safeguard (if relevant).
- If a provider is used only for prospect/marketing website operations (not product data), you may maintain a separate Website Privacy Vendor List.
Production Sub-Processors
The following sub-processors process Customer Personal Data on behalf of ReflectHub OÜ in connection with the ReflectHub product (app.reflecthub.com).
| Provider | Service Function | Data Categories | Data Subjects | Processing Location(s) | Transfer Mechanism | Notes / Link |
|---|---|---|---|---|---|---|
| Cloudflare, Inc. | Authoritative DNS and edge proxy / TLS termination sitting in front of the product (app.reflecthub.com) and the marketing site (reflecthub.com); related WAF and DDoS protection. | IP address, DNS query metadata, TLS connection metadata and (where proxying is enabled) HTTP request headers, URLs and payloads of traffic to the apps. | Customer users (Authorized Users), data subjects in customer records, and website visitors. | Global anycast network (EU and US edge locations). | EU-US Data Privacy Framework and EU SCCs. | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| Scaleway SAS | Application hosting (Kubernetes Kapsule), container registry, managed PostgreSQL database, Object Storage (S3-compatible) for file uploads and exports, and observability via Scaleway Cockpit (Grafana, Loki). | Customer Data submitted to the product, account and authentication data, uploaded files and attachments, application and access logs, infrastructure metrics. | Customer users (Authorized Users) and data subjects whose data is in customer records. | France (fr-par region); EEA. | N/A — processing within the EEA. | https://www.scaleway.com/en/dpa/ |
| Stripe Payments Europe, Ltd. | Subscription billing, hosted checkout, customer billing portal, invoicing, seat management and webhook processing. | Billing contact details (name, email, billing address), subscription and transaction metadata, tax identifiers; cardholder data is collected and tokenized directly by Stripe. | Customer billing contacts and account admins. | Ireland (EU), with onward transfer to Stripe, Inc. (US) where applicable. | EU-US Data Privacy Framework and EU SCCs. | https://stripe.com/legal/dpa |
| Resend, Inc. | Transactional email delivery (account invites, password reset, billing receipts, in-product notifications). | Recipient email address, sender and message metadata (subject, headers), delivery and engagement events. | Authorized Users and customer admins. | United States. | EU-US Data Privacy Framework and EU SCCs. | https://resend.com/legal/dpa |
Website / Marketing Vendors (Non-Product Data)
The following vendors are used by the public marketing website (reflecthub.com) only and do not process Customer Personal Data from the product. They are listed here for transparency alongside the cookie policy.
| Provider | Purpose | Data Categories | Processing Location(s) | Legal Basis Context | Notes |
|---|---|---|---|---|---|
| Cloudflare, Inc. (Turnstile) | Bot and abuse mitigation on public marketing-site forms (contact, book-a-demo, legal enquiries, newsletter signup). | IP address, challenge token, browser and device signals supplied by the visitor's browser. | Global anycast network (EU and US edge locations). | Legitimate interests — protecting public forms from automated abuse (no consent required as strictly necessary). | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| Resend, Inc. | Delivery of form-submission notifications from the marketing site to ReflectHub staff (info@reflecthub.com). | Submitter-provided name, email address, message content, and delivery metadata. | United States. | Legitimate interests / pre-contractual steps at the request of the data subject. | https://resend.com/legal/dpa |
| Google Ireland Limited (Google Fonts — Material Symbols) | Runtime delivery of the Material Symbols icon stylesheet and font files used in the marketing site UI. | IP address, User-Agent and referrer URL of the visitor's browser. | Ireland (EU) with global Google CDN edge. | Legitimate interests — rendering of essential UI iconography. | https://policies.google.com/privacy |
Change Management and Customer Notifications (Template Language)
ReflectHub may update this Sub-Processor List from time to time to reflect changes to its vendors and infrastructure.
Where required under the DPA, ReflectHub will provide notice of a new or replacement sub-processor before such sub-processor begins processing Customer Personal Data.
Customers may object on reasonable data protection grounds in accordance with the DPA. If ReflectHub cannot reasonably accommodate the objection, Customer may terminate the affected Services as its sole remedy.
Internal Checklist Before Adding a Sub-Processor
- Vendor security and privacy due diligence completed
- DPA / processor terms signed and archived
- Transfer mechanism documented (if non-EEA processing)
- Data minimization confirmed
- Sub-processor list updated
- Customer notice prepared/sent (if required)
- Engineering and support teams informed