Public list
of sub-processors.
GDPR Art. 28 requires transparency about sub-processors we use to provide you the service. Here we publish the complete list, location, purpose and signed agreements with each. We notify you by email 30 days in advance of any change.
Why we publish this list
As processor of your personal data and your endpoint inventory data, Itrion Software commits to not contract sub-processors without your knowledge. GDPR Art. 28(2) requires specific or general written prior authorization before contracting another processor. We operate under general authorization with 30-day prior notification, allowing you to object and, if applicable, terminate the contract if you don't accept.
This list was last updated on May 4, 2026. Any change (new sub-processor, location change, sub-processor termination) is notified by email to your organization's DPO/CISO contact registered in the contract. If you haven't provided technical/legal contact, we notify the main tenant administrator.
For all sub-processors: signed GDPR Art. 28 contract, SCC (Standard Contractual Clauses) when international transfer applies, annual documentary audit right, requirement to report incidents to Itrion in less than 24h, requirement to meet same protection level Itrion offers customers.
Active sub-processors list
Itrion Datacenter Madrid (PROD1)
Dedicated server in ITrion datacenter with 99.99% connectivity. Location: Madrid, Spain. Purpose: main Itamite Kubernetes cluster hosting. Art. 28 contract + standard DPA. No international transfer.
Hetzner Online GmbH (Mirror Frankfurt)
Cloud infrastructure for cluster hot replica node. Location: Frankfurt, Germany. Purpose: failover and distributed backup. Art. 28 contract + Hetzner DPA. No international transfer (DE intra-EU).
OVHcloud (Backup Roubaix)
S3-compatible storage for encrypted backups. Location: Roubaix, France. Purpose: AES-256 encrypted off-site backup. Art. 28 contract + OVH DPA + SCC. No transfer outside EU (FR).
Mailcow (own ITrion instance)
Self-hosted email server for product notifications (alerts, reports, invoices). Location: Madrid, Spain. Purpose: transactional email and notifications. No third parties, no international transfer.
SMTP2GO Limited
Backup SMTP provider for delivery guarantee. Location: New Zealand and United States. Purpose: SMTP failover if Mailcow doesn't deliver. Art. 28 contract + SCC + adequacy decision (NZ adequacy under review). Only product transactional emails, no tenant content.
Stripe Payments Europe Ltd
Payment gateway for card processing. Location: Dublin, Ireland (EU HQ). Purpose: ONLY one-time payment processing (PaymentIntent + SetupIntent), we don't store tokens or use Stripe Subscriptions. Art. 28 contract + SCC.
Optional sub-processors (Enterprise)
For Enterprise customers additional sub-processors can be activated based on chosen configuration: AWS KMS / Azure Key Vault / GCP KMS for BYOK (customer encryption key management, customer-chosen location). Certified healthcare datacenter in Madrid or Frankfurt for HIPAA-eligible (+25% over rate). Air-gapped on-premise hosting (no external sub-processors, customer infrastructure). For specific cases: review individual Enterprise contract.
- Email notification: 30 days before any change
- Art. 28 contract + DPA + SCC: signed with all sub-processors
- Documentary audit: annual review right
- Main sub-processors: 100% in EU territory
- For Enterprise: individual review of each new sub-processor
Sub-processor questions
Do I have to accept all sub-processors?
How do you notify me of changes?
Can I request Art. 28 contract with specific sub-processors?
And if I want a sub-processor not in list?
Subscribe to notifications
Receive automatic email when we add, change or remove sub-processors. GDPR compliance guaranteed.