Sub-processor List

1.1 Purpose and legal basis for maintaining this list

This list provides customers (acting as controllers) with transparent information about every third-party entity that Setor AI has engaged to process personal data on the customer's behalf. Each Sub-processor is engaged under a written contract imposing data protection obligations no less protective than those in the DPA between Setor AI and the customer, as required by GDPR Article 28(4). This document is published in satisfaction of our transparency obligations under GDPR Article 28(2).

1.2 General authorization (Article 28(2) GDPR)

The customer grants Setor AI a general written authorization to engage and replace Sub-processors, as expressly permitted by Article 28(2) and Article 28(4) GDPR. This is a general authorization, not a per-Sub-processor consent right: the customer is entitled to prior notice of intended changes and to object on documented data-protection grounds, but does not hold a contractual right of veto over individual Sub-processors. The change and objection procedure is set out in Section 5.

1.3 Scope

• Sub-processors that process personal data Setor AI receives, generates or derives in the course of providing the platform; and
• entities that access, store, transmit or otherwise process such personal data as part of delivering a component of the service.

This list does not cover: processors engaged by the customer independently of Setor AI; the independent or joint-controller processing that certain providers carry out for their own purposes under their own terms (for example, Meta Platforms' own platform-integrity, safety and policy-enforcement processing, as distinct from the sub-processing it performs for the DM-automation function described in Section 2.2 and the note thereto); or Setor AI's own personnel and internal systems. Where a provider acts in a dual capacity, it is listed in the table below only in respect of the processing it performs as a Sub-processor on Setor AI's behalf.

The table below lists all Sub-processors authorized as of the Last Updated date above. For each entity it states the processing purpose, the location/jurisdiction, the cross-border transfer mechanism, and whether the entity trains its own models on customer data. For every entity established in the United States the transfer relies on the EU-U.S. Data Privacy Framework (DPF), on the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (SCCs), or on both, supported where appropriate by a Transfer Impact Assessment (TIA).

2.1 AI and large-language-model providers

2.2 Messaging and social platforms

2.3 Payments

2.4 CRM, scheduling, support and research

2.5 E-mail delivery

2.6 Analytics and monitoring

2.7 Infrastructure, storage and databases

Key: DPF = EU-U.S. Data Privacy Framework (Commission adequacy decision of 10 July 2023). SCCs = Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), in Module 2 (controller to processor) or Module 3 (processor to processor) as applicable. Entries marked "alternative" are authorized stand-by providers within the relevant category that may be activated under the change procedure in Section 5. This table is the complete list of Sub-processors authorized as of the Last Updated date; the functional categories in Section 3 supplement it for the purpose of the general authorization.

The Sub-processors above are grouped into functional categories. The customer's general authorization extends to engaging and replacing providers within these categories, on materially equivalent safeguards, under the change procedure in Section 5.

3.1 AI and large-language-model providers

Setor AI's core service generates contextual responses to direct messages on the customer's behalf. To do so, message content (minimized and, where feasible, pseudonymized at the application layer) is sent to AI and large-language-model providers, which return generated text, transcriptions, vision analysis, synthesized voice or images. Where a provider offers a no-training commitment for API data, we rely on it; where routing through a gateway (OpenRouter) makes the downstream terms model-dependent, we minimize the data sent and flag the residual risk.

3.2 Infrastructure, storage and databases

The platform runs on Cloudflare infrastructure (hosting, CDN, R2 storage, Workers, edge compute, DDoS protection), with the primary database self-hosted on PostgreSQL at Hetzner (Germany, EU) and backups on AWS S3. Neon and PlanetScale are authorized alternative database providers. Infrastructure providers may have technical access to data in transit and at rest; all data at rest is encrypted and all data in transit is encrypted via TLS 1.2 or higher.

3.3 Payments

Stripe processes billing name, billing address, tokenized payment details and transaction records. Card details are tokenized by Stripe at the point of entry and are never stored in Setor AI's systems. Stripe is PCI DSS Level 1 certified.

3.4 Messaging and social platforms

Meta provides the Instagram, Facebook and WhatsApp APIs essential to the service. The platform authenticates using tokens provided by the customer (the account holder) and uses those APIs to read and send messages on the customer's behalf. Twilio provides SMS and voice; Slack (Slack Technologies, LLC, part of Salesforce, Inc.) provides team integration and operational notifications. As noted in Section 2.2, Meta acts as an independent or joint controller for its own purposes, and is listed in the table only in respect of the sub-processing it performs for the DM-automation function.

3.5 CRM, scheduling, support and research

Attio, iClosed and HighLevel provide CRM and calendar functions; Calendly and Cal.com provide booking; Gleap provides the support widget and ticketing; RapidAPI is used to research public Instagram profiles; and Notion is used for internal notes. These providers process contact, scheduling and conversation data as directed by the customer.

3.6 E-mail delivery

Resend is the active e-mail provider; Postmark, SendGrid and self-hosted SMTP/Nodemailer are authorized alternatives. These providers process recipient address and message content for transactional and customer communications.

3.7 Analytics and monitoring

PostHog provides product analytics and is engaged only on the basis of consent, with EU data residency (Frankfurt); we do not rely on legitimate interest for product-analytics or ad-tech tracking. Within PostHog we store, only with analytics consent, a hashed IP address (ip_hash) - a per-lead pseudonym derived by hashing the IP address together with the quiz result identifier, used solely to join the same lead's events across devices. The raw IP address is not stored in analytics, the ip_hash is never used as an identity key and never links different individuals sharing one IP (for example behind carrier-grade NAT); it is retained for up to 36 months, then deleted or anonymised. Sentry provides error and performance monitoring. Server-side security, anti-fraud and routing logging (including IP-address logging) is performed on the basis of legitimate interest under Article 6(1)(f) GDPR, with the right to object under Article 21(1) GDPR (see the Privacy Policy).

4.1 Transfer framework

Several Sub-processors are established in the United States. Transfers of personal data from the European Economic Area (EEA) to these Sub-processors are carried out in compliance with Chapter V of the GDPR. For each US entity, transfers rely on the EU-U.S. Data Privacy Framework, on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), or on both, with a Transfer Impact Assessment as a supporting and fallback measure. Sub-processors established within the EEA (for example Hetzner, Gleap and the EU-resident PostHog data store) involve no third-country transfer of the relevant data.

4.2 Standard Contractual Clauses

Where SCCs apply, Setor AI relies on the clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, using Module 2 (controller to processor) where Setor AI transfers data as a controller, and Module 3 (processor to processor) where Setor AI transfers data as a processor on the customer's behalf.

4.3 EU-U.S. Data Privacy Framework

Setor AI monitors the DPF certification status of its US Sub-processors via the official list maintained by the U.S. Department of Commerce at dataprivacyframework.gov. If a Sub-processor's DPF certification lapses, Setor AI ensures that an alternative mechanism (typically the SCCs, supported by a TIA) remains in place so that the transfer continues to be lawful.

4.4 Transfer Impact Assessment

Setor AI maintains a Transfer Impact Assessment covering its third-country Sub-processors. The TIA evaluates the legal frameworks applicable in each Sub-processor's jurisdiction and concludes that the transfer mechanisms and supplementary measures described above provide a level of protection essentially equivalent to that guaranteed within the EEA for the processing concerned. Customers may request a summary of the TIA under their DPA.

5.1 Advance notice (14 days)

Under the general authorization in Section 1.2, Setor AI will give customers who are party to a DPA at least 14 calendar days' prior notice before engaging a new Sub-processor or replacing an existing one, except in the emergency circumstances described in Section 5.4. Notice is given by e-mail to the data-protection contact designated in the DPA (or, failing that, the customer's account e-mail) and/or by updating this document together with an in-product or e-mail notification.

5.2 Content of the notice

• the name and legal entity of the new or replacement Sub-processor;
• the jurisdiction in which it is established;
• the processing purpose and the data categories affected;
• the applicable cross-border transfer mechanism; and
• the effective date of the change.

5.3 Objection on data-protection grounds

Within the 14-day notice period, the customer may object to a new or replacement Sub-processor by writing to office@setor.ai. To be valid, an objection must (a) identify the specific Sub-processor and (b) set out a documented, reasonable data-protection ground for the objection (for example a specific, evidenced concern about the Sub-processor's ability to meet GDPR obligations). General or commercial objections, or objections unsupported by a data-protection ground, are not valid under the general authorization.

On receipt of a valid objection, Setor AI will (1) acknowledge it, (2) consult with the customer in good faith to address the concern, and (3) if the concern cannot reasonably be resolved, the customer's sole and exclusive remedy is to terminate the portion of the service that necessarily relies on the objected-to Sub-processor, without penalty for that portion. The objection does not confer a right to veto the Sub-processor or to block its engagement across the wider customer base.

5.4 Emergency engagement

Where a Sub-processor must be engaged urgently to maintain the security, availability or integrity of the platform (for example to mitigate an active security incident or a critical outage), Setor AI may engage it before the 14-day period elapses, will notify affected customers as soon as reasonably practicable, will provide the information in Section 5.2, and will accept any subsequent valid objection under Section 5.3.

6.1 Sub-processor agreements

Customers may request copies of the data-processing agreements that Setor AI has in place with the Sub-processors listed here. Setor AI will provide redacted copies (removing commercially sensitive information that is not necessary to demonstrate GDPR compliance) within a reasonable period. Requests go to office@setor.ai.

6.2 Compliance documentation

No more than once per calendar year, customers may request documentation showing that Sub-processors meet their data-protection obligations, such as ISO 27001 or SOC 2 Type II summaries where available, audit excerpts to the extent Setor AI has access to them, or written compliance confirmations. Requests go to office@setor.ai.

6.3 Accuracy and updates

Setor AI keeps this list accurate and up to date. The version and Last Updated date at the top of this document are updated with each change. Customers are encouraged to review this page periodically.

All matters relating to this Sub-processor List - including change notifications, objections on data-protection grounds, requests for Sub-processor agreements or compliance documentation, and inquiries to the Data Protection Officer - are handled through a single contact point:

• Setor AI Sp. z o.o., ul. Tomasza Zana 1, 20-601 Lublin, Poland
• KRS 0001202220, NIP PL7123502599, REGON 543088690
• Data Protection Officer / contact: office@setor.ai
• Website: https://setor.ai | Application: https://app.setor.ai

This document is governed by Polish law. The court competent for B2B disputes is the District Court (Sad Rejonowy) Lublin-Wschod in Lublin, seated in Swidnik, or the regional court (Sad Okregowy) having subject-matter jurisdiction.