Loading...
Loading...
Transparency on third-party providers that process personal data on behalf of Gitogi Srl, pursuant to Art. 28(2) of Regulation (EU) 2016/679.
This document is drafted in Italian. The English version is provided for informational purposes only: in case of discrepancy, the Italian text shall prevail.
Last updated: 21 June 2026
Pursuant to Art. 28(2) of Regulation (EU) 2016/679 (GDPR), Gitogi Srl, acting as data controller and/or data processor, publishes and maintains this list of sub-processors to which it entrusts specific personal data processing activities. Each sub-processor operates under a Data Processing Agreement (DPA) compliant with Art. 28 GDPR and, where applicable, in compliance with the safeguards for international data transfers set out in Arts. 44-49 GDPR.
Registry: 13 active sub-processors · 5 conditional (not active unless explicitly enabled, flagged in the table).
| Name | Legal entity | Processing purpose | Data processed | Location / Data residency | Transfer mechanism | Consent-gated | DPA link |
|---|---|---|---|---|---|---|---|
| Supabase | Supabase Inc. | Database, authentication, storage | All stored personal data (accounts, profiles, progress, consents) | EU (eu-central-1, Frankfurt) | N/A (data in the EU) | No | DPA |
| Stripe | Stripe Inc. | Payment and subscription processing | Email, name, billing data, payment methods | USA / EU | EU-US DPF + SCCs | No | DPA |
| Stripe (UK customers — GBP) Conditional | Stripe Payments UK, Ltd. [LEGAL REVIEW PENDING] | Payment and subscription processing for UK customers in GBP — DEFERRED v1.1 (UK descoped from v1.0 on 2026-04-27)[NOT ACTIVE IN v1.0 — DEFERRED v1.1] Sub-processor not active. v1.0 commercial scope is Italy-only, EUR-only (decision 2026-04-27 — see `docs/COMPLETION_PLAN_v1_0.md` §1). No UK customer data flows through this sub-processor. Will activate only upon UK launch opening (v1.1) after: (a) UK counsel review on legal entity and DPA, (b) `currency: 'gbp'` enablement in `src/lib/stripe/checkout.ts`, (c) addition of UK-specific clauses to legal docs (Privacy Policy UK GDPR, Cookie Policy PECR, ToS Consumer Rights Act 2015). Kept in the registry as a transparent placeholder of the v1.1 roadmap. | No data in v1.0. In v1.1, if activated: email, name, UK billing data, payment methods (GBP cards, Bacs Direct Debit where enabled) | UK (London) [LEGAL REVIEW PENDING — confirm Stripe Payments UK, Ltd. data residency vs onward transfer to Stripe Inc. USA] | [v1.1 only] UK adequacy decision (EU→UK, in force since 28 June 2021) for data originating from EU customers; UK IDTA + UK-US Data Bridge (in force since 12 October 2023) for onward transfer to Stripe Inc. USA. [LEGAL REVIEW PENDING — confirm IDTA vs SCC choice + Data Bridge applicability] | No | DPA |
| Amazon Web Services (Bedrock) | Amazon Web Services EMEA SARL (Lussemburgo) | Primary AI chat (Claude Opus/Sonnet/Haiku) and intra-Bedrock fallback (Mistral Large) via AWS Bedrock with cross-region EU inference profile; knowledge-base RAG embeddings (Cohere Embed v4, 1024 dim, eu-west-1 Ireland) | User chat messages, deliverable generation prompts, KB document chunks for analysis and embedding, user search queries for embedding, extracted lead signals | EU (eu-south-1 Milan primary; cross-region EU: eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris) | N/A (data resident in the EU); AWS EMEA SARL is a European entity, AWS Inc. is the US parent (residual CLOUD Act exposure mitigated by EUDB + Bedrock regional guarantees) | Yes | DPA |
| Mistral AI (La Plateforme) EU-sovereign | Mistral AI SAS (Parigi, Francia) | EU-sovereign cross-cloud AI fallback — Layer 3 of resilience stack. Active only when AWS Bedrock EU is fully unavailable. | User chat messages and generation prompts during catastrophic AWS Bedrock EU outage | EU (Paris, France — Mistral AI SAS own infrastructure) | N/A (French company, EU infrastructure, no extra-EU transfers, no US CLOUD Act exposure) | Yes | DPA |
| Anthropic (API diretta) Conditional | Anthropic PBC | Extra-EU AI chat fallback — disabled by default. Admin-enabled only for dev/staging scenarios or with supplementary DPIA.CONDITIONAL sub-processor: by default the anthropic-direct layer is DISABLED and with 'Hard fail' active it is skipped regardless. User data does not flow to Anthropic USA unless admin explicitly enables it with documented DPIA. | Chat messages (only if admin explicitly enables the anthropic-direct layer in admin AI Stack UI) | USA | EU-US DPF + SCCs | Yes | DPA |
| OpenAI (API diretta) Conditional | OpenAI LLC | KB Multi-LLM Consensus cross-check (P5) only + conditional extra-EU chat fallback. NOTE: RAG embeddings MIGRATED to Cohere Embed v4 on AWS Bedrock EU (Jun 2026, F3.1) — OpenAI is no longer used for embeddings.Current use: KB Multi-LLM Consensus ONLY, for cross-verification of discovery proposals and validation of regulatory citations (public data only, PII filter active). openai-direct chat layer DISABLED by default. RAG embeddings migrated to Cohere Embed v4 on Bedrock EU (F3.1, Jun 2026). Consensus cross-check migration to Mistral-on-Bedrock planned to remove OpenAI from the stack entirely. | Chat messages only if openai-direct layer enabled by admin; Multi-LLM Consensus queries on public content (URLs, regulatory citations, institution names) — built-in PII filter blocks fiscal codes/IBAN/email/phone before send | USA | EU-US DPF + SCCs | Yes | DPA |
| Resend | Resend Inc. | Transactional email delivery and notifications | Email addresses, email content, delivery status | USA | EU-US DPF | No | DPA |
| Upstash | Upstash Inc. | Rate limiting (Redis) | Rate limit keys (hashed IPs), ephemeral data with TTL | EU | N/A (data in the EU) | No | DPA |
| PostHog | PostHog Inc. | Product analytics and user behavior analysis | Session data, interaction events, user properties | EU Cloud (eu.posthog.com) | N/A (EU Cloud) | Yes | DPA |
| Google LLC | Analytics (GA4), reCAPTCHA Enterprise, Google Workspace | Session data, IP, device fingerprint, navigation events | USA / EU | EU-US DPF + SCCs | Yes | DPA | |
| Sentry | Functional Software Inc. | Error tracking and session replay (active by default; Session Replay only after analytics consent) | Error context, stack traces, masked session data | USA | EU-US DPF | No | DPA |
| Perplexity | Perplexity AI Inc. | Web search for Knowledge Base Brain + Multi-LLM Consensus cross-check (P5) | Search queries on public regulatory content (URLs, citations, institution names); no personal data sent — PII filter active in consensus runner | USA | EU-US DPF | No | DPA |
| Google AI (Gemini API) Conditional | Google LLC | Long-context document cross-referencing (deprecated — replaced by Bedrock Sonnet 4.6 200K ctx)LEGACY sub-processor: used only if admin config sets AI_PROVIDER=anthropic (pre-Bedrock mode). Not active in current production. | Summaries of public regulatory documents (no personal data sent) | USA / EU | EU-US DPF + SCCs | No | DPA |
| Vercel | Vercel Inc. | Web application hosting (Next.js SSR), edge functions, global CDN, cron scheduler | All data in transit (HTTP requests, headers, serverless function logs, CDN logs) | EU (fra1, Frankfurt) — region pinned via vercel.json | EU-US DPF + SCCs (Vercel Inc. is a US company with EU-resident data) | No | DPA |
| Aruba | Aruba SpA | Electronic invoicing and digital preservation | Electronic invoices, fiscal data | Italy | N/A (data in Italy) | No | DPA |
| Browserless | Browserless.io | JS-rendered scraping for regulatory monitoring (optional, no personal data) | URLs of public normative websites (no personal data sent) | USA | N/A — no personal data transferred | No | DPA |
| Odoo Conditional | Odoo S.A. (Belgio) | ERP management platform and its hosting (Odoo Online / Odoo.sh) for clients of Odoo implementation projectsSub-processor active ONLY for clients of Odoo implementation projects who adopt Odoo Online/Odoo.sh hosting. It does NOT concern gitogi.com SaaS/academy users, whose data does not flow through Odoo. For such projects, Odoo S.A. is listed in the project-specific DPA. | Business and personal data managed in the Client's ERP (customer/supplier records, contacts, documents, operational and accounting data) — only for clients adopting Odoo hosting | EU (region selected at activation; EU option available — Odoo S.A. infrastructure; backups and sub-suppliers per Odoo terms) | DPA included in the Odoo subscription terms; for Odoo Online/Odoo.sh the Client is the Controller and Odoo S.A. the Processor (Art. 28 GDPR) | No | DPA |
In accordance with our contractual obligations and Art. 28(2) GDPR, Gitogi Srl notifies active clients by email of any changes to this list at least 30 (thirty) days before the new sub-processor becomes active. During this period, the client has the right to object to the change. In the absence of written objection within the specified deadline, the change shall be deemed accepted. The updated list is always available on this page.
Transfers of personal data to third countries are carried out exclusively on the basis of appropriate safeguards pursuant to Arts. 44-49 GDPR. The main mechanisms used are: (a) EU-US Data Privacy Framework (DPF) — European Commission adequacy decision of 10 July 2023 pursuant to Art. 45 GDPR; (b) Standard Contractual Clauses (SCCs) — standard contractual clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, in the updated version (Decision 2021/914); (c) EU-resident processing — where the sub-processor guarantees data residency within the European Economic Area, no international transfer occurs.
For any questions regarding sub-processors or to exercise your right to object, please contact our privacy team: privacy@gitogi.com.
See also: Privacy Policy · Data Processing Agreement · Security Measures