LEGAL · TRANSPARENCY · GDPR ART. 28(4)

Authorized Sub-Processors

Rankiteo Inc. uses the limited set of sub-processors listed below to deliver the Services. All Personal Data is hosted and processed exclusively within the European Economic Area (EEA). This page is the canonical, always-up-to-date list referenced from our Data Processing Agreement.

Last updated: April 25, 2026

What is a sub-processor?

A sub-processor is a third-party service provider that processes Personal Data on behalf of Rankiteo in order to deliver the Services to our customers (the "Controllers" under GDPR). Examples include cloud-infrastructure providers, CI/CD platforms, and monitoring services.

Under GDPR Article 28(4), Rankiteo binds every sub-processor by a written contract that imposes data-protection obligations equivalent to those Rankiteo owes its customers. Rankiteo remains fully liable to the customer for the performance of each sub-processor.

Key facts

✅ EU-only Processing. All Customer Personal Data is hosted and processed exclusively in the EEA — no data leaves the EEA in nominal Service operation.
✅ Limited list. Only the four sub-processors below are authorized. We have no SaaS analytics provider, no CRM provider, no advertising network in our data path.
✅ 30-day advance notice. If we add or replace a sub-processor, we notify customers 30 days in advance, and customers may object on data-protection grounds within 15 business days.
✅ Equivalent obligations. Each sub-processor is bound by written agreement to data-protection obligations equivalent to ours.
✅ Schrems II compliant. Our US parent entity (Rankiteo Inc.) signs SCCs Module 2 with each EU customer; a documented Transfer Impact Assessment is in place.

Get notified of changes

To be notified by email when this list changes, send a request from your DPO email to [email protected] with the subject "Subscribe to sub-processor updates". We will add your address to the notification list within 5 business days.

You may also poll this page programmatically — the "Last updated" date at the top is mirrored in the page metadata and updates each time the list changes.

Current sub-processors (4)

🇮🇪

Cloudflare

Cloudflare Ireland Ltd. (EU customer-of-record entity for Cloudflare, Inc.)

cloudflare.com ↗

Address

7th Floor, 25-28 North Wall Quay, Dublin 1, D01 H104, Ireland

Location of Processing

Cloudflare global edge — configured with the Cloudflare Data Localization Suite (Regional Services + Customer Metadata Boundary set to EU) so requests are processed only by EU edge nodes

Service provided

Edge network — CDN, Web Application Firewall (WAF), DDoS protection, DNS, bot management. All inbound HTTPS traffic terminates at Cloudflare before being proxied to OVH origin.

Data categories

Network metadata (IP address, user-agent, request URL, response code, geolocation) and the TLS-decrypted request body briefly in transit at the edge for security inspection. No long-term storage at the edge.

Certifications

ISO 27001ISO 27018ISO 27701SOC 2 Type IIPCI DSS Level 1GDPR DPA

Sub-processor's own DPA ↗

🇩🇪

Hetzner

Hetzner Online GmbH

hetzner.com ↗

Address

Industriestr. 25, 91710 Gunzenhausen, Germany

Location of Processing

Germany — Falkenstein, Nuremberg

Service provided

Primary application + data tier — web application servers (3× behind WAF/VPN), MongoDB database, encrypted backups

Data categories

All Customer Personal Data (portfolio, claims, scores, custom companies, sessions, logs, sanctions index)

Certifications

ISO 27001BSI C5DIN EN 50600ISO 9001

Sub-processor's own DPA ↗

🇫🇷

OVH

OVH SAS

ovhcloud.com ↗

Address

2 rue Kellermann, 59100 Roubaix, France

Location of Processing

France — Roubaix, Strasbourg, Gravelines

Service provided

Workload tier — HAProxy load balancer + processing workloads (scoring pipelines, enrichment jobs, batch analytics) that pull data from Hetzner over an HTTPS-secured channel

Data categories

Personal Data processed transiently in memory during scoring / enrichment runs. No persistent storage of Customer data on OVH.

Certifications

ISO 27001ISO 27017ISO 27018SOC 2 Type IIHDS (FR Health-Data Hosting)

Sub-processor's own DPA ↗

🇪🇺

Microsoft Azure DevOps

Microsoft Ireland Operations Limited

azure.microsoft.com ↗

Address

One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland

Location of Processing

Microsoft Azure — West Europe (Netherlands) and North Europe (Ireland) regions only

Service provided

CI/CD pipelines, secret management (Azure Key Vault), build / release automation, monitoring (Azure Monitor), private artifact storage

Data categories

No Customer Personal Data; only Rankiteo source code, build artifacts, deployment secrets, and operational telemetry

Certifications

ISO 27001ISO 27017ISO 27018SOC 2 Type I/II/IIIEU Data Boundary commitment

Sub-processor's own DPA ↗

What we don't use (intentionally)

For full transparency, the following categories of sub-processors are not in our data path. This is a deliberate architectural choice to minimize the GDPR transfer attack surface:

❌ No US-hosted SaaS analytics (no Mixpanel, Amplitude, Segment in the Customer-data flow)
❌ No third-party advertising networks (no Google Ads / Meta Pixel)
❌ No CRM in the data path (no Salesforce / HubSpot processing Customer Personal Data)
❌ No US-hosted databases (no DynamoDB, RDS, Snowflake holding Customer data)
❌ No US edge / CDN for Customer-data delivery (web assets only — no cookies, no PII)

Note: external Large-Language-Model providers (OpenAI, Anthropic, DeepSeek) are only invoked when the Customer explicitly configures their own API key. In that case the Customer is the party transferring data to the LLM provider under their own DPA, not Rankiteo.

Contact

Rankiteo Inc. · Data Protection Officer

3790 El Camino Real, Palo Alto, CA 94306, United States

DUNS 144988327 · Phone: +1 650-374-4052 / +33 7 87 77 55 92

Email: [email protected]