Notes
This list constitutes Annex 2 to the Practions Data Processing Agreement and is binding for all Customers using the Service. Klaver Solutions engages the sub-processors listed below for the delivery and management of the Service. Changes are announced at least thirty (30) days before they take effect, via email or a notice in the Service, in accordance with Article 6 of the Data Processing Agreement.
Categories in the table:
- Purpose: the specific purpose for which the sub-processor is engaged.
- Data type: the categories of Personal Data processed by or through the sub-processor.
- Country of processing: the country where data is actually processed or stored.
- Transfer mechanism: the mechanism required by Articles 44 to 49 GDPR for processing outside the European Economic Area (EEA).
Active sub-processors
| Sub-processor | Entity establishment | Country of processing | Purpose | Data type | Transfer mechanism |
|---|---|---|---|---|---|
| Mollie B.V. | Amsterdam, the Netherlands | Netherlands (EEA) | Payment processing for Subscriptions and, optionally, for coach-outbound invoices to Clients of Customer via iDEAL, Bancontact, credit card and SEPA | Name, email, IBAN, payment data, payment status, invoice references | n/a (processing within EEA) |
| Moneybird B.V. | Hilversum, the Netherlands | Netherlands (EEA) | Optional synchronisation of invoices and contacts with Customer's bookkeeping | Invoice lines, contact data, VAT codes (only when Customer activates this integration) | n/a (processing within EEA) |
| Microsoft Ireland Operations Limited (Azure OpenAI) | Dublin, Ireland | EU regions: West Europe, Sweden Central, France Central | Generation of draft session notes, AI edits on notes, AI practice-manager chat in production | Session transcripts, draft notes, prompts and context fragments from the Service | n/a (processing within EEA); supplemented by the Microsoft Online Services Terms (DPA) |
| Zoho Corporation B.V. | Utrecht, the Netherlands (EU offering) | European data centre (smtp.zoho.eu) | Sending of transactional emails (verification, password reset, invoice, session reminder, onboarding) | Name, email address, email content (transactional body) | n/a (processing within EEA) when using .eu endpoint; in case of switch to a US endpoint: Standard Contractual Clauses (SCCs) and additional safeguards |
Meta Platforms Ireland Limited (WhatsApp Business Cloud API, graph.facebook.com) |
Dublin, Ireland | Ireland (EEA), with routing via Meta infrastructure | Optional WhatsApp verification at signup and transactional WhatsApp notifications; only active when Customer activates the integration, and not for Client communication | Customer phone number, template name, message payload | n/a (Meta Ireland is the processing entity within the EEA); supplemented by the Meta DPA and Standard Contractual Clauses to the extent any Meta content is routed outside the EEA |
| Cloudflare, Inc. | San Francisco, United States | EU edges + US (operational back-end) | Tunnel and network services between the public domain and the production environment | IP addresses, request metadata; no application-layer content payload | Standard Contractual Clauses (SCCs) and, where applicable, EU-US Data Privacy Framework |
| European Commission / VIES | Brussels, Belgium | EU (institution) | Validation of VAT numbers of business Clients | VAT number, business entity name, validation result | n/a (processing within EEA) |
| OpenAI L.L.C. | San Francisco, United States | United States | Used exclusively in development and testing environments, with non-production test data | No production personal data | Standard Contractual Clauses (SCCs); production use is technically blocked at production startup |
Operational or optional sub-processors
| Sub-processor | Purpose | Status | Transfer mechanism |
|---|---|---|---|
| TURN provider for WebRTC NAT traversal | Optional media relay for video calls in networks with symmetric NAT | Not configured on the production deploy of 2026-05-04. Upon activation, the specific provider and country are added to this list via the announcement procedure | To be determined upon activation |
| Sentry (Functional Software, Inc.) | Optional error monitoring | Active only when SENTRY_DSN is configured in production. Event content is pre-filtered to omit known PII fields |
EU region where possible; SCCs and, where applicable, EU-US Data Privacy Framework |
| Hugging Face, Inc. | One-off downloads of public speech models for local transcription | No Personal Data of Customers or Clients is transferred to Hugging Face | n/a (no personal data exchanged) |
| Google Ireland Limited (Google Fonts) | Delivery of web fonts (DM Sans, Fraunces) on practions.com | The IP address is exchanged with Google on each page visit | n/a (processing within EEA), with the note that a move to self-hosted fonts is under consideration |
| Cloudflare jsDelivr CDN (cdn.jsdelivr.net) | Loading of icon sprites in the sign-up and use environment | No identifying cookies; IP address is exchanged on CDN fetch | SCCs and, where applicable, EU-US Data Privacy Framework |
Procedural provisions
- Changes to this list are dated and archived for audit traceability. The current version is always available at https://practions.com/en/sub-processors.
- Customer is entitled, under Article 6(4) of the Data Processing Agreement, to object on reasoned grounds to a new sub-processor within the announcement period.
- Questions about this sub-processor list may be addressed to [email protected].