Subprocessors
This page is the named list of third-party subprocessors that process personal data on Apshan's behalf, published under GDPR Article 28(2). The Data Processing Addendum governs the underlying relationship.
About this page
A subprocessor is a third party that processes personal data on Apshan's behalf to deliver the Service. This page lists every named subprocessor, the role each plays, the country of processing, and the transfer mechanism where data leaves the EU/EEA.
The list is published per GDPR Article 28(2) and EDPB Opinion 22/2024. Where a subprocessor is required to comply with Standard Contractual Clauses (SCCs) for non-EU transfers, that is noted. Each entry links to the subprocessor's own privacy or DPA page for chain transparency.
Hosting and infrastructure
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Scaleway SAS | Cloud infrastructure: hosting, compute, managed databases, object storage | France (EU) | EU-resident · DPA |
| Cloudflare, Inc. | DNS, CDN, edge proxy, DDoS mitigation, marketing-website hosting (Workers/Pages), bot challenge (Turnstile). Processes visitor metadata only (IP address, user agent, page paths). No customer product data flows through this subprocessor. | USA · EU edges | SCCs + DPA |
| Upstash, Inc. | Managed Redis (REST API) for distributed rate-limit counters on public form submissions. Each request stores the visitor's IP address in a counter key that expires automatically after a 60-second window. No form contents, email addresses, or other personal data are processed. Used solely to prevent abuse and spam on partner application endpoints, under legitimate interest (Article 6(1)(f)). | USA · EU data residency (Frankfurt) | SCCs + DPA |
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Sendinblue SAS (Brevo) | Transactional and marketing email delivery | France (EU) | EU-resident · DPA |
Analytics and telemetry
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Google Ireland Limited (Google Analytics 4) | Web and product analytics (Google Analytics 4). Marketing-traffic measurement, behavioral audiences, and Google Ads ecosystem integration. Loaded only after the visitor accepts the analytics category in the consent banner. | Ireland (EU) · USA parent | EU-US DPF + SCCs + DPA |
| Ahrefs Pte. Ltd. | Web analytics (Ahrefs Web Analytics). Loaded only after you accept the analytics category in the consent banner. Cookieless once loaded: no persistent identifier is set on the visitor device. Note: once the script loads, it tracks all subsequent in-app navigations (including pages otherwise excluded from marketing pixels), because the vendor exposes no per-page opt-out API. Request metadata (anonymized IP, user agent, referrer, page URL) is processed for SEO traffic analysis. | Singapore | SCCs + DPA |
| PostHog, Inc. | Product analytics (EU instance, Frankfurt). Client-side captures load only after the visitor accepts the analytics category in the consent banner. Server-side operational telemetry (partner application submissions and server error events) is processed under legitimate interest (Article 6(1)(f)) regardless of cookie consent; email-derived identifiers are salted and hashed before transmission. | USA · EU data residency | SCCs + DPA |
| Functional Software, Inc. (Sentry) | Error monitoring and application performance | USA · EU instance (de.sentry.io) | SCCs + DPA |
Logging and observability
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Better Stack, s.r.o. | Application logs, uptime monitoring, observability | Czech Republic (EU) | EU-resident · DPA |
Customer experience
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Axeptio SAS | Cookie consent management | France (EU) | EU-resident · DPA |
| Trustpilot A/S | Review invitations and trust ratings. Loads only after the visitor accepts the relevant consent category in the cookie banner; no data is processed without explicit consent. | Denmark (EU) | EU-resident · DPA |
Marketing pixels and server-side conversions
Marketing pixels are loaded only after explicit consent through the cookie banner. Server-side conversions APIs run only when the visitor has granted marketing consent for the relevant vendor. You can withdraw consent at any time.
| Subprocessor | Purpose | Country | Transfer |
|---|---|---|---|
| Google Ireland Limited (Google Ads) | Advertising attribution, conversion measurement, audience retargeting, and Enhanced Conversions hashed-email matching (Google Ads / gtag.js) | Ireland (EU) · USA parent | SCCs + DPA |
| LinkedIn Ireland Unlimited Company (Insight Tag) | Advertising attribution and audience measurement | Ireland (EU) · USA parent | SCCs + DPA |
| Meta Platforms Ireland Limited (Meta Pixel) | Audience retargeting and conversion measurement (Meta Pixel) | Ireland (EU) · USA parent | SCCs + DPA |
| Meta Platforms Ireland Limited (Conversions API) | Server-side conversion attribution via Conversions API (hashed email, IP address, user-agent). Fires only on validated form submissions when the visitor has granted Meta marketing consent. | Ireland (EU) · USA parent | EU-US DPF + SCCs + DPA |
| LinkedIn Ireland Unlimited Company (Conversions API) | Server-side conversion attribution via Conversions API (hashed email, IP address, user-agent, LinkedIn first-party attribution cookie identifier). Fires only on validated form submissions when the visitor has granted LinkedIn marketing consent. | Ireland (EU) · USA parent | EU-US DPF + SCCs + DPA |
Authorization and right to object
By accepting the Terms of Service and the Data Processing Addendum, you give Apshan general written authorization to engage the subprocessors listed above, in accordance with GDPR Article 28(2).
You retain the right to object to any subprocessor change. If you object on reasonable grounds related to data protection, Apshan will work with you in good faith to resolve the objection or, where it cannot, allow termination of the affected portion of the Service.
Notification of changes
Apshan publishes material changes to this list at least thirty (30) days before they take effect. To subscribe to subprocessor change notifications, write to privacy@apshan.com with the subject line "Subprocessor notifications" and the email address you want notifications sent to.
Emergency changes (where a subprocessor must be added or replaced for security or continuity reasons before the thirty-day window) are announced as soon as practicable with the reason for the expedited timeline.
International transfers
Where a subprocessor's legal entity is incorporated outside the EU/EEA, including cases where data is hosted in EU regions, Apshan relies on the European Commission's Standard Contractual Clauses (SCCs) and a signed Data Processing Addendum to safeguard the transfer. Where a subprocessor's data residency is outside the EU/EEA, the country of processing is disclosed in the table above.
Where to learn more
Contact
privacy@apshan.com
Apshan, 6 Rue d'Armaillé, 75017 Paris, France.