Skip to main content

Sub-Processors

Last updated: May 23, 2026

This page lists all third-party services ("Sub-Processors") that Webnation AB uses to process personal data from Hubbub users. Under GDPR Article 28, we are required to document and make these transparent.

Each Sub-Processor has executed a Data Processing Agreement (DPA) or Data Addendum (DPA) that includes Standard Contractual Clauses (SCCs) for international transfers.

Active Sub-Processors

1. Stripe (Payment Processing)

Purpose: Credit card processing, subscription billing, invoice generation

Personal Data: Email, name, billing address, payment method (card last 4 digits only; Stripe stores full PAN)

Location: United States (Stripe Inc., 510 Townsend St, San Francisco, CA 94103)

Data Retention: Stripe retains billing data for compliance with payment processor regulations (typically 7 years)

DPA/Privacy:
- https://stripe.com/privacy
- https://stripe.com/dpa
- https://stripe.com/resources/more/data-processing-addendum

Transfer Mechanism: Standard Contractual Clauses (Stripe DPA Section 2)

---

2. Resend (Email Delivery)

Purpose: Transactional email (account verification, password reset, invoices, notifications)

Personal Data: Email address, email content (verification codes, invoices)

Location: United States (Resend, Inc.)

Data Retention: Resend retains email logs for 90 days for deliverability and bounce tracking

Privacy & DPA:
- https://resend.com/privacy
- https://resend.com/dpa

Transfer Mechanism: Standard Contractual Clauses

---

3. specific.dev (Web Hosting & CDN)

Purpose: Application hosting, CDN, static asset delivery, SSL/TLS termination

Personal Data: IP address, HTTP request headers, user-agent (browser type), aggregate traffic data

Location: EU origin with a global edge network for static assets

Data Retention: Access logs retained for up to 30 days for security and performance monitoring

Privacy & DPA: See https://specific.dev for current privacy policy and DPA links.

Transfer Mechanism: Processed within the EEA where possible; Standard Contractual Clauses apply for any edge regions outside the EEA.

> Counsel review needed: confirm specific.dev's executed DPA, sub-processor list, and Schrems II supplementary measures (encryption, access controls) are on file.

---

4. AWS S3 (File Storage)

Purpose: Storage of slide images, uploaded PPTX decks, and generated PDF/XLSX exports

Personal Data: File contents (which may include user-authored slide text, images, and audience-response exports), object metadata

Location: EU (eu-north-1 / Stockholm region)

Data Retention: Files are retained while the parent presentation exists; deleted on presentation deletion or account closure (subject to backup retention)

Privacy & DPA:
- https://aws.amazon.com/privacy/
- https://aws.amazon.com/compliance/gdpr-center/

Transfer Mechanism: Processed within the EEA. AWS GDPR DPA applies.

---

5. Temporal (Workflow Orchestration)

Purpose: Background workflow orchestration for PPTX import and PDF/XLSX export jobs. Temporal holds workflow inputs/outputs (identifiers, status, retries) but does not host the actual files (those go to S3).

Personal Data: Workflow inputs may include user IDs, session IDs, and email addresses (used to email the finished export). No slide content or audience responses are stored in Temporal payloads.

Location: EU region (Temporal Cloud)

Data Retention: Workflow history retained per Temporal Cloud defaults (typically up to 30 days post-completion), then purged.

Privacy & DPA: See https://temporal.io for current privacy policy and DPA links.

Transfer Mechanism: Processed within the EEA.

---

6. Sentry (Error Logging & Monitoring)

Purpose: Capturing application errors, performance metrics, and debugging information

Personal Data: Error stack traces (may include variable names/values from your code), URL path, HTTP method, response time, browser type

Personal Data NOT Collected: We configure Sentry to exclude email addresses, payment data, and slide content from error logs

Location: United States (Sentry, Inc.)

Data Retention: Sentry retains error events for 30 days by default; older events are purged

Privacy & DPA:
- https://sentry.io/privacy/
- https://sentry.io/dpa/

Transfer Mechanism: Standard Contractual Clauses (Sentry DPA)

Note: Enterprise customers can request data residency in EU via dedicated Sentry instance

---

7. PostHog (Product Analytics, Consent-Gated)

Purpose: Product analytics — page navigation, feature usage, error counts. Strictly opt-in: we initialise PostHog with `optoutcapturingbydefault: true` and only enable capture after a user grants cookie consent.

Personal Data: Pseudonymous session/device identifier, page URL, feature events, browser type, coarse IP (used by PostHog to derive country only).

Personal Data NOT Collected: Slide content, audience responses, email addresses, payment data, passwords. Autocapture is disabled — we emit only the semantic events we have defined.

Location: EU region — eu.i.posthog.com. Analytics data does not leave the EEA.

Data Retention: Event data retained for up to 12 months, then aggregated or purged.

Privacy & DPA:
- https://posthog.com/privacy
- https://posthog.com/dpa

Transfer Mechanism: Processed within the EEA — no third-country transfer.

User Control: Off by default. Granting consent calls `window._hubbubanalytics_consent(true)`; revoking calls it with `false` and opts the client out immediately.

---

8. Google (OAuth Identity Provider, Optional)

Purpose: Identity verification only when a user chooses "Sign in with Google". Google returns the user's email and basic profile (name, picture); we do not pull any other Google services.

Personal Data: Google account email, name, profile picture URL, OAuth tokens.

Location: United States / global Google infrastructure.

Data Retention: OAuth tokens stored only as long as the linked session is active.

Privacy & DPA:
- https://policies.google.com/privacy
- https://cloud.google.com/terms/data-processing-addendum

Transfer Mechanism: Standard Contractual Clauses (Google Cloud DPA).

User Control: Optional — you may sign in with email/password instead, and you can disconnect Google at any time from your account settings.

---

Sub-Processors We Do NOT Use

  • Google Analytics (we use PostHog EU instead — Google OAuth is used only for sign-in when a user chooses it)
  • Facebook Pixel / Meta Ads (no marketing pixels)
  • Segment, Amplitude, Mixpanel (no multi-tool analytics)
  • Intercom, Zendesk, Freshdesk (no support ticketing at this stage)

Data Processing Agreements (DPAs)

All Sub-Processors listed above have executed a Data Processing Agreement (DPA) or Data Addendum (DPA) that includes:

  • Data Processing Terms (GDPR Article 28 compliance)
  • Sub-Processor Authorization (GDPR Article 28(2) & 28(4))
  • Standard Contractual Clauses (SCCs) for international transfers (GDPR Chapter V)
  • Data Subject Rights Support (GDPR Articles 15–22 facilitation)
  • Confidentiality & Security Obligations (GDPR Article 32)
  • Audit Rights (GDPR Article 28(3)(h))

For Enterprise Customers: Request a signed copy of any Sub-Processor's DPA for your records. Email info@webnation.se.

International Data Transfers

We try to keep personal data inside the EEA wherever practical. specific.dev (hosting), AWS S3 (storage), Temporal (workflows), and PostHog (analytics) are all configured to run in the EU. The processors that still touch the US — Stripe, Resend, Sentry, and (optionally) Google OAuth — operate under safeguards required by GDPR Chapter V:

1. Standard Contractual Clauses (SCCs) — the 2021 EU Commission-approved modules, included in each processor's DPA.
2. Supplementary Measures (per Schrems II):
- Encryption of data in transit (HTTPS/TLS)
- Encryption of data at rest (where available)
- Access controls and audit logging
- Minimised payloads — we scrub email addresses, payment data, and slide/audience content from error reports before they leave our servers
- Sub-processor transparency on this page

> Counsel review needed: obtain current SCC audit confirmations from Sub-Processors and document any additional technical/organizational measures post-Schrems II.

Right to Object

Under GDPR Article 28(3)(h), you have the right to object to certain Sub-Processors. To request removal of a Sub-Processor (where not essential to service delivery), email info@webnation.se with:

  • Sub-Processor name
  • Reason for objection

We will respond within 30 days. Essential processors (Stripe for payment, specific.dev for hosting, AWS S3 for storage, Resend for transactional email, Temporal for background jobs) cannot be objected to without discontinuing the service.

Changes to Sub-Processors

We may add or remove Sub-Processors with 30 days' notice. We will announce major changes via email and update this page. You may object to new Sub-Processors within 14 days of notification.

Questions

For questions about Sub-Processors, data transfers, or to request a Sub-Processor's DPA:

Webnation AB
info@webnation.se