SUB-PROCESSORS
Third-party service providers used by eyre.ai
Last updated: 31/01/2026
WHAT ARE SUB-PROCESSORS?
Sub-processors are third-party companies that eyre.ai uses to help provide our secure meeting platform services. Under GDPR Article 28, we must:
✅ Only use sub-processors who provide sufficient guarantees
✅ Inform you about which sub-processors we use
✅ Give you the right to object to new sub-processors
✅ Ensure they meet the same data protection standards as eyre.ai
We take this responsibility seriously. Every sub-processor is:
✓ EU/EEA-based (no US or third-country sub-processors)
✓ GDPR-compliant with signed Data Processing Agreements
✓ ISO 27001 or SOC 2 certified (or equivalent)
✓ Regularly audited for compliance
✓ Subject to the same security standards as eyre.ai
CURRENT SUB-PROCESSORS
Infrastructure & Hosting
Hetzner Online GmbH
Service: Cloud hosting and infrastructure
Location: Germany 🇩🇪
Data centers: Falkenstein (Germany), Nuremberg (Germany)
What they process: All platform data, meeting metadata, recordings (encrypted)
Purpose:
- Server infrastructure
- Data storage (encrypted at rest)
- Backup systems
- Computing resources
Security & Compliance:
- ISO/IEC 27001 certified
- EU Code of Conduct for Data Centres participant
- GDPR-compliant Data Processing Agreement signed
- Regular third-party security audits
Data location guarantee: All data remains in Germany (EU)
Website: hetzner.com
Privacy policy: hetzner.com/legal/privacy-policy
Content Delivery
BunnyCDN (BunnyWay d.o.o.)
Service: Content Delivery Network (CDN)
Location: Slovenia 🇸🇮 (EU)
PoPs (Points of Presence): EU/EEA only (Germany, Netherlands, France, UK, Sweden, Poland, Czech Republic)
What they process: Meeting media streams (audio/video during transmission only – not stored)
Purpose:
- Fast media delivery for meetings
- Edge caching for performance
- DDoS protection
- Bandwidth optimization
Security & Compliance:
- GDPR-compliant operations
- EU-only delivery configuration (non-EU PoPs disabled for eyre.ai)
- Signed Data Processing Agreement
- Regular security audits
Data location guarantee: All PoPs within EU/EEA, data never routed outside Europe
Website: bunny.net
Privacy policy: bunny.net/privacy
Transactional Emails
Brevo (formerly Sendinblue SAS)
Service: Transactional email delivery
Location: France 🇫🇷
Data centers: Paris (France), Frankfurt (Germany)
What they process: Email addresses, names, email content (meeting invitations, notifications, support communications)
Purpose:
- Meeting invitation emails
- Platform notifications (recording ready, account updates)
- System alerts
- Support communications
Security & Compliance:
- ISO/IEC 27001 certified
- GDPR-compliant by design (French company)
- Signed Data Processing Agreement
- EU-only data storage
Data location guarantee: All email data processed and stored in EU only
Website: brevo.com
Privacy policy: brevo.com/legal/privacypolicy
SUB-PROCESSOR REQUIREMENTS
Every sub-processor must meet these criteria before we engage them:
1. Location & Jurisdiction
✅ EU/EEA-based company OR
✅ Adequacy decision country (Switzerland, UK) with EU-only data processing
❌ NO US-based companies
❌ NO third-country data transfers
2. Security Certification
At least one of:
- ISO/IEC 27001 (Information Security Management)
- SOC 2 Type II (Service Organization Controls)
- Equivalent recognized security standard
3. Legal Compliance
✅ GDPR-compliant Data Processing Agreement (DPA) signed
✅ Commitment to EU-only data processing
✅ No access by third-country parent companies (if applicable)
✅ Audit rights granted to eyre.ai
4. Technical Measures
✅ Encryption in transit (TLS 1.3 minimum)
✅ Encryption at rest
✅ Access controls and authentication
✅ Incident response procedures
✅ Regular security testing
5. Transparency
✅ Public privacy policy
✅ Sub-sub-processor disclosure (if any)
✅ Annual compliance attestations
✅ Security documentation available
NOTIFICATION OF CHANGES
How We Notify You
When we add or change sub-processors, we will:
30 days before engagement:
- Email notification to all customers (at registered email address)
- Update this page (eyre.ai/sub-processors)
- Highlight changes with “NEW” or “UPDATED” tags
Notification includes:
- Sub-processor name and location
- Services they will provide
- Data they will process
- How to object (if you have concerns)
Your Right to Object
You have 14 days from notification to object to a new sub-processor on reasonable data protection grounds.
How to object:
- Email objection to: privacy@eyre.ai
- Include: Your organization name, reason for objection, specific concerns
- We will review within 5 business days
If you object:
Option A: We don’t engage that sub-processor (if commercially reasonable alternative exists)
Option B: We discuss alternative solutions with you
Option C: You may terminate your agreement without penalty (if we cannot accommodate objection)
Example valid objection reasons:
- Sub-processor is in jurisdiction you cannot accept
- Security standards insufficient for your requirements
- Conflict with your industry-specific regulations
- Previous security incidents at that sub-processor
SUB-SUB-PROCESSORS
Some sub-processors may use their own sub-processors (sub-sub-processors).
Current sub-sub-processors:
Hetzner:
- Uses EU-based hardware vendors (servers, networking equipment)
- All vendors within EU/EEA
- No impact on data location or security
BunnyCDN:
- Uses EU-based network providers
- All infrastructure within EU/EEA
- No third-country sub-sub-processors
Brevo:
- Uses EU-based email infrastructure providers
- All processing within EU
- No third-country sub-sub-processors
We require all sub-processors to:
- Notify us 30 days before engaging new sub-sub-processors
- Maintain same security and location standards
- Provide right to object
SUB-PROCESSOR MONITORING
How We Oversee Sub-Processors
Quarterly:
- Review security documentation
- Check for any sub-processor changes
- Monitor incident reports
- Verify data location compliance
Annually:
- Request updated security certifications
- Review Data Processing Agreements
- Audit data processing practices (where possible)
- Assess performance and reliability
Continuous:
- Monitor for security incidents or breaches
- Track service level agreement compliance
- Review customer feedback about sub-processors
If Sub-Processor Fails
If a sub-processor:
- Suffers data breach affecting eyre.ai customers
- Fails to maintain security standards
- Violates terms of Data Processing Agreement
- Loses required certifications
We will:
- Notify affected customers immediately
- Work with sub-processor to remediate (if possible)
- Migrate to alternative sub-processor (if necessary)
- Document and report incident per GDPR requirements
WHAT WE DON’T USE
To protect your data sovereignty, we explicitly do NOT use:
❌ Amazon Web Services (AWS) – US company, CLOUD Act exposure
❌ Google Cloud Platform (GCP) – US company, third-country transfers
❌ Microsoft Azure – US company, jurisdiction concerns
❌ Cloudflare – US company (though we may use EU-only features in future)
❌ Zoom – US-based video infrastructure
❌ Slack – US-based communications
❌ Mailchimp – US-based email
❌ Intercom – US-based support
❌ Any US-based analytics (Google Analytics, Mixpanel, etc.)
Why not?
- US CLOUD Act allows government access to data even if stored in EU
- Schrems II ruling invalidated EU-US data transfer mechanisms
- EU-US Data Privacy Framework under ongoing legal challenges
- We prioritize data sovereignty over vendor convenience
Our commitment: European infrastructure for European values.
FREQUENTLY ASKED QUESTIONS
Why do you use sub-processors?
No company can build everything in-house. Sub-processors provide specialized infrastructure (data centers, networks, email delivery) that would be inefficient to build ourselves. We carefully select EU-based partners who meet our security and privacy standards.
Can I see the Data Processing Agreements with sub-processors?
Yes. Enterprise customers can request copies of our sub-processor DPAs for their compliance review. Email: legal@eyre.ai
What if a sub-processor is acquired by a US company?
We have contractual protections requiring 90 days notice of ownership changes. If a sub-processor is acquired by a non-EU company:
- We assess impact on data sovereignty
- If unacceptable, we migrate to alternative (90-day transition)
- We notify all customers immediately
- No customer data transferred to new owner without consent
Do sub-processors access my meeting content?
No. Your meeting content is end-to-end encrypted. Sub-processors provide infrastructure but cannot decrypt your meetings. They may process:
- Encrypted meeting data (storage)
- Meeting metadata (times, participants, durations)
- Technical data (connection quality, bandwidth)
They do NOT access meeting content (conversations, recordings, shared files).
How do I know sub-processors are really EU-only?
We verify through:
- Contractual commitments in DPAs
- Regular audits and certifications
- Direct inspections where possible
- Customer audit rights (enterprise)
You can also verify independently:
- Check sub-processor privacy policies
- Review their security certifications
- Contact them directly about data location
Can I require eyre.ai to use specific sub-processors?
Enterprise customers can discuss custom infrastructure requirements. However:
- We cannot guarantee specific sub-processor selection for all customers
- Changes may affect pricing or service levels
- Custom requirements require enterprise agreement
Contact: enterprise@eyre.ai
What about analytics or tracking?
We do NOT use:
- Google Analytics (US-based)
- Facebook Pixel (US-based)
- Any third-party advertising/tracking
We MAY use (future):
- Matomo (self-hosted, EU-based) for privacy-respecting analytics
- Plausible Analytics (EU-based, GDPR-compliant)
Current: Minimal analytics, processed in-house on our own servers.
Will you ever use US-based sub-processors?
Current policy: No.
We believe European data should stay in Europe. However:
- If EU-US data transfer framework becomes legally stable AND
- Customer explicitly consents AND
- We cannot find equivalent EU alternative
- We might consider for non-critical services (not infrastructure)
Any such change would require 60 days notice and full objection rights.
CONTACT
General Questions
Email: privacy@eyre.ai
Response time: 48 hours
Sub-processor Objections
Email: privacy@eyre.ai
Subject: Sub-processor Objection – [Sub-processor Name]
Response time: 5 business days
Enterprise/Custom Requirements
Email: enterprise@eyre.ai
Data Protection Officer
Email: dpo@eyre.ai
For: GDPR compliance, data processing questions, audit requests
Legal/Compliance
Email: legal@eyre.ai
For: DPA requests, contractual questions, compliance documentation
SUMMARY TABLE
| Sub-processor | Service | Location | Data Processed | Certification |
|---|---|---|---|---|
| Hetzner | Cloud hosting | 🇩🇪 Germany | Platform data, recordings | ISO 27001 |
| BunnyCDN | CDN | 🇸🇮 Slovenia (EU PoPs) | Media streams | GDPR-compliant |
| Brevo | 🇫🇷 France | Email delivery | ISO 27001 |
Total sub-processors: 3
EU/EEA-based: 100%
Third-country transfers: 0
This page is updated whenever sub-processors change. Bookmark for reference.
Last reviewed: 31/01/2026
Next scheduled review: July 2026 + 90 days
Transparency commitment: We believe you have the right to know exactly who processes your data and where.\
Questions? privacy@eyre.ai