The table below lists third parties that Geodd LLC may use to process Customer Personal Data on behalf of Geodd in connection with the Services.
| Vendor | Category | Purpose | Data Processed | Region / Processing Location | Transfer Mechanism | Notes |
|---|---|---|---|---|---|---|
| AWS | Cloud hosting / servers | Hosting, compute, infrastructure, and related cloud services | Customer account data, usage data, service data, infrastructure metadata, and Customer Personal Data processed through hosted services where applicable | EU for EU/UK inference infrastructure where selected or provided; other AWS regions may be used where Customer selects or enables non-EU infrastructure | AWS DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | AWS supports international transfers under its DPA. Region depends on infrastructure selected/configured by Geodd or Customer. |
| MongoDB | Database | Database hosting and storage | Customer account/admin data, usage data, billing-related service data, and related operational records | EU for EU/UK customer database data; other MongoDB Atlas regions may be used depending on service configuration | MongoDB DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | Geodd stores EU/UK customer registration and billing account data in Europe and encrypted at rest. MongoDB Atlas supports regional and multi-cloud deployments. |
| SendGrid | Transactional and service emails | Business email, name where applicable, account/service email content, delivery metadata | EU where SendGrid EU Email Data Residency is enabled; otherwise US/global processing may apply | Twilio/SendGrid DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | SendGrid offers EU Email Data Residency for recipient PII, email content, and event data. Confirm whether Geodd has enabled this. | |
| Google Workspace | Email / productivity | Business email, administration, collaboration, and internal operations | Business email, contact details, support/legal/admin communications, documents where applicable | Global by default; EU or US data regions may be selected depending on Google Workspace edition and configuration | Google Cloud/Workspace DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | Google Workspace supports data region controls, including global, EU, US, or multiple regions, depending on plan/configuration. |
| HubSpot | CRM | Customer relationship management, sales/contact management, and customer communications | Name, business email, phone number, company name, job title, sales/contact enquiry data, marketing/customer communications | US, EU/Germany, Canada, or Australia depending on HubSpot account hosting location | HubSpot DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | HubSpot hosts product infrastructure on AWS in the US, Canada, Australia, and EU/Germany. Confirm Geodd’s HubSpot account data hosting location. |
| Slack | Support / internal communication | Internal support, operational communication, incident/security coordination | Support messages, customer contact details, operational messages, limited service context where applicable | Global by default; data residency regions may be available depending on Slack plan/configuration | Slack DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | Slack data residency allows customers to choose a region for certain data at rest, but availability depends on plan and setup. |
| Cloudflare | Security / CDN | CDN, WAF, security, traffic protection, and related network services | IP addresses, traffic metadata, security logs, request metadata where applicable | Global edge network; US and Europe for certain metadata; regional processing may be configurable through Cloudflare Data Localization features | Cloudflare DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | Cloudflare’s core services use a global network. Regional Services/Data Localization may restrict where traffic is decrypted/serviced if configured. |
| SignNow | Contract / e-signature | Contract execution and e-signatures | Name, business email, contract/order form details, signatures, legal/admin records | US/global unless a specific regional arrangement is confirmed | SignNow/airSlate DPA, EU SCCs, UK Addendum, Swiss adaptations where applicable | Use conservative wording unless Geodd confirms its SignNow account data residency. |
| Intuit | Billing / accounting | Accounting, invoicing, billing, tax, and financial records | Name, company name, billing address, invoices, payment metadata, tax IDs, billing/legal records | US and other countries where Intuit, affiliates, subsidiaries, or service providers operate; region may depend on product and account | Intuit DPA or privacy/data transfer terms, EU SCCs, UK Addendum, Swiss adaptations where applicable | Intuit states it may store and process personal information in the US and other countries where Intuit or its service providers operate. |
| Stripe | Payment provider | Payment processing, payment metadata, billing support, fraud prevention | Payment metadata, billing details, transaction records, customer payment identifiers where applicable | Global, including US and other Stripe processing locations; region depends on Stripe entity, product, and transaction flow | Stripe DPA, Stripe Data Transfers Addendum, EU SCCs, UK Addendum, Swiss adaptations where applicable | Stripe may act as a Subprocessor for some billing-related processing and as an independent controller for regulated payment processing, depending on context. |
The following vendors may act as independent controllers, third-party platforms, or controller-side vendors depending on how they are used. They are not necessarily Subprocessors for Customer Personal Data processed by Geodd as processor.
| Vendor | Category | Purpose | Region / Processing Location | Notes |
|---|---|---|---|---|
| Stripe | Payment provider | Payment processing and regulated payment services | Global, including US and other Stripe processing locations | Stripe may act as an independent controller for certain payment processing activities. |
| Google Analytics | Analytics | Website analytics and usage measurement | Global / Google processing locations | Generally relates to Geodd’s controller-side website analytics, not Customer Personal Data processed through the API. |
| Support / communication | Customer support or communications | Global / Meta processing locations | Should not be used for sensitive Customer Personal Data unless appropriate safeguards are in place. | |
| Telegram | Support / communication | Customer support or communications | Global / Telegram processing locations | Should not be used for sensitive Customer Personal Data unless appropriate safeguards are in place. |
| Discord | Support / community communication | Customer support, community, or operational communication | Global / Discord processing locations | Should not be used for sensitive Customer Personal Data unless appropriate safeguards are in place. |
| Meta Pixel | Marketing / tracking | Website marketing and tracking | Global / Meta processing locations | Used only where applicable and subject to cookie consent requirements. |
| LinkedIn Pixel | Marketing / tracking | Website marketing and tracking | Global / LinkedIn/Microsoft processing locations | Used only where applicable and subject to cookie consent requirements. |
Geodd may use third-party suppliers for physical hardware, rack space, power, cooling, connectivity, physical maintenance, and physical security.
Geodd does not treat these suppliers as Subprocessors unless they process Customer Personal Data on behalf of Geodd.
Physical infrastructure suppliers are not Subprocessors where they do not have logical, administrative, operational, support, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, workloads, prompts, outputs, logs, backups, storage, or runtime environments.
Emergency access by physical infrastructure suppliers is limited to physical premises, rack, cabling, power, hardware replacement, cooling, connectivity, and physical security. It does not include logical access to systems, workloads, storage, logs, encryption keys, or Customer Personal Data.
Geodd will provide at least 30 days’ prior notice before adding or replacing a Subprocessor that will process Customer Personal Data.
Customers may object to a new Subprocessor by emailing [email protected] during the notice period and explaining the reasonable data protection grounds for objection.
If Geodd cannot reasonably accommodate the objection, Customer may terminate only the affected Services before the new Subprocessor is used for Customer Personal Data, subject to the terms of the applicable agreement.
For questions about this Subprocessor list, contact: [email protected]