Subprocessors

List of subprocessors under the GDPR

Last updated About 3 hours ago

Subprocessors of Consent Studio

Consent Studio (Vallonic B.V.) works with a limited number of trusted third-party service providers to deliver, protect, and improve our services. These third parties are referred to as Subprocessors.

Who we serve

We distinguish between two groups of people that interact with Consent Studio:

  • Customers: businesses and developers who use Consent Studio to manage consent on their websites. Customers have a direct contractual relationship with us.

  • End-Users: visitors to websites managed by our Customers, who interact with our consent interface.

Different subprocessors apply depending on which group you belong to.

Our commitment to European data sovereignty

For End-Users located in the European Union, we are committed to processing data exclusively on sovereign European infrastructure. This means that every subprocessor involved in serving EU-based End-Users meets both of the following criteria:

  1. Data is stored and processed within European Union member states.

  2. The legal entity is incorporated and majority-owned within the European Union and not by any non-EU parent company or holding structure.

For End-Users located outside the European Union, requests may be handled via infrastructure outside EU borders, for example via CDN edge nodes closer to the visitor's location.

Customer Subprocessors

These Subprocessors may process data related to Customers, including account holders, billing contacts, administrators, and personnel who have been in contact with us.

Subprocessor

Country

Purpose

Data Processed

Stripe Payments Europe, Ltd.
Stripe

Ireland

Subscription & payment processing

Company details, billing contact, professional email address, payment information

Scaleway SAS

France

Hosting & infrastructure

Application data, account data, IP address

Intercom, Inc.

United States

Customer Support, E-mail, In-Dashboard Messaging

Name, email address, and any personal data included in correspondence

Google Ireland Ltd.
Google Workspace

Ireland

Email & internal collaboration

Name, email address, and any personal data included in correspondence

ClickUp, Inc.

United States

Project management & internal communications

Name, email address, and any personal data included in submitted feedback or support communications

Cordnet OÜ

Estonia

Customer Support, E-mail, In-Dashboard Messaging, Feedback reporting

Name, email address, and any personal data included in correspondence

Note on Intercom communications

While you are an active Customer, certain service notifications and product updates are considered essential to service delivery and cannot be unsubscribed from. You can unsubscribe from promotional emails at any time via the unsubscribe link in those emails.

Note on Google Workspace and ClickUp

These tools may incidentally contain personal data of personnel associated with Customer organisations. For example, when a contact submits feedback or engages with our support team. Data in these tools is used exclusively for internal operational purposes.

End-User subprocessors

These subprocessors may process data related to End-Users interacting with the Consent Studio widget on Customer websites. For End-Users located in the European Union, all data is processed exclusively on EU-owned infrastructure within EU member states.

Subprocessor

Country

Purpose

Data Processed

Sovereign European

Scaleway SAS

France

Compute, data storage & networking, including consent log storage

Consent records, pseudonymised identifiers, preference data

βœ“ Yes

BunnyWay d.o.o.

Slovenia

CDN, DDoS protection & geotargeting

IP address (in transit), request metadata

βœ“ Yes, for EU visitors

Note: edge nodes outside the EU are used for non-EU visitors

On sustainability

Scaleway SAS powers its infrastructure with renewable energy for all non-emergency capacity. By hosting End-User data exclusively with Scaleway, we aim to minimise the environmental footprint of consent processing. BunnyWay d.o.o., however, cannot guarantee energy from renewable sources just yet.

GDPR compliance

All Subprocessors are bound by a Data Processing Agreement (DPA) and are contractually obligated to:

  • Process your data only for the purposes described above

  • Implement appropriate technical and organisational security measures

  • Not transfer data outside agreed jurisdictions without a valid legal basis

  • Comply with GDPR and applicable EU data protection law

Changes to this list

We may update this list when we add, remove, or change subprocessors via the Changelog. Customers will be notified of material changes in accordance with our Data Processing Agreement.

If you have questions about our subprocessors or data processing practices, contact us at privacy@consent.studio.