Subprocessors

Last updated: 5 June 2026 — Version 1.5

Under GDPR Art. 28(2), we must inform you of any subprocessors we engage to process personal data on your behalf. This page is the authoritative, always-current list. We will notify you by email at least 30 days before adding any new subprocessor that processes your personal data, giving you time to object.

PennaSystems (CVR 46522036) engages the following third-party companies to deliver the service. Each subprocessor is bound by a Data Processing Agreement (DPA) and must process data only for the specified purpose, under documented instructions, with appropriate security measures in place.

Transfer to non-EEA countries relies on one of these legal mechanisms:

Current subprocessors

Processor Country Purpose Data processed Transfer basis Privacy policy
Stripe, Inc. USA Payment processing and subscription management for PennaSystems subscriptions Billing name, email, payment method metadata, subscription history. Card numbers are tokenised by Stripe and never transmitted to PennaSystems. EU–US DPF stripe.com/privacy
Resend, Inc. USA Transactional email delivery (account verification, password reset, invoice notifications, system alerts) and, where a client opts to reply by email, inbound email receipt for PennaConnect conversation threads Recipient email address, email subject and body (security-alert emails contain the IP address of the triggering login), delivery timestamps, and — for inbound replies — the sender's email address, message body and any attachments the client sends into the conversation. No marketing profiling. SCCs resend.com/legal/privacy-policy
Railway Corp. USA Cloud application hosting and managed PostgreSQL database All platform data stored in the database: user accounts, invoices, contacts, messages, file references, billing records. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). SCCs railway.app/legal/privacy
Cloudflare, Inc. USA (R2 object storage pinned to EU jurisdiction) Content delivery network (CDN), DDoS protection, and R2 object storage for user-uploaded files Static assets, user-uploaded files (invoices, profile images, deliverable files, receipt images), anonymised web analytics via Cloudflare Web Analytics (no cookies, no cross-site tracking). IP addresses processed transiently for routing and security. R2 object storage is pinned to Cloudflare's EU jurisdiction (EEUR location) — uploaded files are stored on EU infrastructure. Cloudflare Inc. is a US company, so SCCs still apply to the corporate relationship. SCCs cloudflare.com/privacypolicy
Anthropic, PBC USA AI-assisted features: invoice line-item suggestions, email drafting, proposal generation, invoice field suggestions, and similar in-product AI tools. Only invoked when you actively use an AI feature. Invoice content, message drafts, and field values submitted via AI features at the time of use. Anthropic does not use this data to train models under their Commercial API Terms. Inputs and outputs are retained by Anthropic for up to 30 days for abuse monitoring and safety classification, then automatically deleted. Anthropic may retain User Safety classifier results beyond that window solely to enforce their Usage Policy. SCCs anthropic.com/privacy
Functional Software, Inc. (Sentry) USA Application error tracking and performance monitoring Sanitised stack traces, request paths (URL path only, no query-string values), error messages, and browser/OS information when an application error occurs. PII scrubbing is configured at the source to exclude email addresses, IP addresses, authentication tokens, names, and payment data from all error payloads. SCCs sentry.io/privacy
Expo Technology, Inc. USA Push notification delivery for the PennaSystems mobile app Device push token and notification payload (event type and brief description). No message content is stored by Expo beyond the delivery attempt. Only users with the mobile app installed and push notifications enabled are affected. SCCs expo.dev/privacy
PostHog, Inc. EU Cloud (Frankfurt, DE) Product and web analytics across marketing pages and the authenticated app (pennapay.com, pennasystems.com, app.pennasystems.com) Page views, feature usage events, session IDs. A random visitor ID is stored in localStorage for session continuity (no cookies set). For logged-in users the PennaSystems user ID is linked to events. No advertising profiles. Person profiles created for authenticated users only. EU Cloud — data stays in EU (AWS eu-central-1, Frankfurt) posthog.com/privacy
Ghost Foundation (Ghost Pro) USA Newsletter platform for founder content and product update communications. Stores subscriber data for users who opt in to PennaSystems newsletters. Active from Month 2 of operations. Subscriber email address, name (if provided at opt-in), subscription status, and email engagement events (opens, clicks). Only affects users who voluntarily subscribe to PennaSystems newsletters — not all platform users. SCCs ghost.org/privacy
Mailgun Technologies, Inc. (via Ghost Pro) USA Email delivery infrastructure used by Ghost Pro to send newsletter issues to subscribers. Mailgun is Ghost Pro's transactional email sub-processor and is not contracted directly by PennaSystems. Recipient email address, email subject and body (newsletter content), and delivery timestamps. Processed by Mailgun on behalf of Ghost Pro under Ghost's sub-processing chain. Only affects newsletter subscribers. SCCs mailgun.com/legal/privacy-policy

Optional third-party integrations

The services below are not sub-processors — PennaSystems does not direct how they process your data, and they are used only if a client or organization actively chooses to link them. They act as independent data controllers under their own terms.

Telegram (Telegram FZ-LLC — UAE / BVI). An optional messaging channel a client may link to a PennaConnect conversation. Email is always the default and Telegram is never required. When a client links Telegram, the messages and files they exchange there are transferred to and processed by Telegram FZ-LLC outside the EU/EEA, under Telegram's own privacy policy, as an independent controller. The client links only after being shown, and accepting, a notice of the risks of this transfer (the UAE/BVI have no EU adequacy decision and no appropriate safeguards). Legal basis: the client's explicit consent — Art. 6(1)(a) for the sharing and Art. 49(1)(a) for the international transfer. The client can end it any time by sending /stop. Privacy policy: telegram.org/privacy.

Meta — Facebook Messenger and Instagram (Meta Platforms Ireland Limited, Dublin, Ireland). An optional set of messaging channels an organization may connect to its PennaConnect inbox so it can receive and reply to messages its own clients send from Facebook Messenger or Instagram. The channel is opt-in, off by default, and available on the Pro plan; email and the in-app inbox always work without it. When an organization connects Meta, it authorises PennaPay (through the organization's own Meta login) to send messages to, and receive messages from, those platforms on the organization's behalf. For that message traffic, PennaPay acts only as the organization's processor on its documented instructions — the same processor role we hold for the organization's other client data.

Meta is not a PennaPay subprocessor. For the personal data collected through a connected Facebook Page or Instagram professional account, Meta acts as a controller — jointly with the organization for the collection on Meta's platform (per the CJEU rulings in Wirtschaftsakademie Schleswig-Holstein, C-210/16, and Fashion ID, C-40/17) and independently for Meta's own platform purposes — under Meta's own terms and privacy policy, which the organization accepts directly with Meta. The EU contracting and data-controlling entity is Meta Platforms Ireland Limited, established in the EEA; the transfer from PennaPay to Meta Ireland is therefore an intra-EEA transfer and is not a Chapter V third-country transfer. Any onward transfer by Meta to the United States is Meta's own processing, carried out under the EU–US Data Privacy Framework adequacy decision (Art. 45).

Because the organization is the controller toward its own clients, the organization is responsible for telling its clients, in the organization's own privacy notice, which connected messaging services it uses and for having a lawful basis to handle the resulting messages. Privacy policy: facebook.com/privacy/policy.

Subprocessors that process your clients' data

When you use PennaSystems to send invoices, messages, or files to your clients, you are the data controller for your clients' personal data and PennaSystems is your data processor under GDPR Art. 28. The same subprocessors listed above also process your clients' data (e.g. Railway stores client contact details; Resend delivers invoice emails to client addresses) on a processor-of-processor basis. Our DPA with each subprocessor covers this sub-processing chain.

You remain responsible for ensuring you have a lawful basis to process your clients' data and to use a service like PennaSystems on their behalf.

Former subprocessors

No subprocessors have been removed to date. This table will be updated when vendors are replaced or removed, including the date of termination.

Notification of changes

We will notify registered users by email at least 30 days before adding any new subprocessor that will process personal data. The notification will identify the new vendor, the categories of data they will process, and the legal transfer mechanism that applies (DPF, SCCs, or EU residency). If you object to the new subprocessor, you may terminate your account before the change takes effect and receive a pro-rata refund for any prepaid, unused portion of an annual plan.

Material changes to this Subprocessors page itself (for example, removal of a vendor, or a change in transfer mechanism for an existing vendor) will be reflected here within 30 days and noted in the page version date below. We monitor for changes in adequacy decisions (such as the EU–US Data Privacy Framework) and will update this disclosure if a vendor's transfer mechanism changes.

Questions

For questions about a specific subprocessor, to request a copy of the relevant DPA / SCC, or to exercise any of your GDPR rights, contact privacy@pennapay.com. We respond to ordinary enquiries within 5 business days and to GDPR data subject requests within 30 days as required by GDPR Art. 12(3).