When this article matters
You're doing a vendor security review of TaxItEasy and need the sub-processor list with locations, purposes, transfer mechanisms, and DPA references. Or you're trying to understand which third parties see your data and under what conditions. This article is the human-readable summary; the canonical legally-binding list with per-provider DPA references lives at /subprocessors.html.
For the broader data-residency context (where your data lives at rest), see where is my data stored. For the encryption that protects data from each sub-processor where applicable, see how our encryption works in plain English.
The six sub-processors
| Provider | Purpose | Location | Transfer mechanism | What they see |
|---|---|---|---|---|
| DigitalOcean | Compute (Kubernetes), database (PostgreSQL), object storage (Spaces) | Frankfurt (FRA1), EU | SCCs (US-incorporated provider, EU data residency contractually guaranteed) | Encrypted data at rest; metadata in plaintext (email, timestamps, account state) |
| Anthropic | AI extraction (Claude API) | United States | EU-US DPF + SCCs | Document content during the few-second extraction window; not your account metadata or relationships |
| Stripe | Payments + invoicing | United States | EU-US DPF + SCCs | Billing email, payment method, plan, invoice line items, VAT ID (if you provide one) |
| Resend | Transactional email (outbound receipts, notifications) + inbound webhook (your forwarding address) | United States / EU | SCCs | Email-channel events: subject, sender, recipient. Email bodies on the inbound path are processed and discarded — not retained. |
| Sentry | Error monitoring with PII scrubbing | United States | EU-US DPF + SCCs | Error traces with explicit PII scrubbing; never personal data |
| Cloudflare | CDN / DDoS / WAF in front of the website | Global edge with EU presence | EU-US DPF + SCCs | HTTP metadata (IP, user-agent, request path) for traffic to the marketing site; not application data |
That's the entire list as of 2026-05. We don't have other customer-facing sub-processors.
Where the canonical list lives
/subprocessors.html — full per-provider table with: what data is processed, retention, the provider's privacy policy URL, the DPA reference, the change-log of additions and removals. That page is the legally-binding source of truth; we always update it before we add or change a sub-processor.
This help article is a friendlier summary; the legal document is the canonical /subprocessors.html.
Customer notification before changes
We notify all customers 14 days before adding a new sub-processor. The notice goes via three channels:
- Email to the Owner of every account (the user with the Owner role on the company)
- In-app banner on the Dashboard, visible until you dismiss
- An entry in the Sub-processors change log on the /subprocessors.html page
You have those 14 days to object. If you object, we discuss options — most commonly: opt out of the specific feature that requires the new sub-processor (e.g. opt out of OCR if you object to the AI sub-processor). For some sub-processor changes, opt-out isn't viable (a payment-processor change can't be opted out of and keep paying); in those cases the only options are to accept the change or terminate the subscription.
This 14-day window is the minimum required under GDPR Article 28 for sub-processor changes; we'd extend it for material changes where users genuinely need longer to evaluate.
What's special about Anthropic
The AI extraction step is the one place your document content leaves the EU. The trade-offs are worth knowing:
What goes to Anthropic:
- The document content (PDF text, OCR'd image text, or image bytes if no extractable text exists in the source).
- For a few seconds — the API call is synchronous from our backend's perspective; the document content is sent, processed, structured fields are returned, and our backend writes the result back.
What does NOT go to Anthropic:
- Your email address
- Your account metadata (creation date, subscription state, plan)
- Your bank-transaction history
- Your tax-advisor relationships
- Your name (unless it happens to appear on the invoice itself, which is the document content)
- The list of other documents in your account
Retention at Anthropic:
- Currently: follows Anthropic's commercial API default — up to 30 days for safety monitoring, then deleted from Anthropic's side.
- In negotiation: a contractual zero-retention addendum with Anthropic. Once signed, document content is dropped immediately at Anthropic's side with no monitoring retention. We will publish the executed addendum on /security.html and /subprocessors.html once it's signed. Until then, we deliberately don't claim it.
Transfer mechanism:
- EU-US Data Privacy Framework (DPF, July 2023) — Anthropic is on the DPF participants list.
- Standard Contractual Clauses (SCCs) as the backup mechanism, also signed.
Can you opt out of Anthropic? If you object to the AI sub-processor, currently you cannot fully opt out and keep using TaxItEasy — the AI extraction is core to the product. On-premise / EU-only AI variants are not on the immediate roadmap. The closest opt-out is "stop uploading documents" (which keeps the rest of the service functional but without the central feature).
What's special about each of the others
DigitalOcean
US-incorporated company with EU infrastructure. Your data physically resides in Frankfurt and is contractually guaranteed not to leave the EU at rest. The CLOUD-Act exposure is mitigated by our application-layer envelope encryption — DigitalOcean's staff cannot read your data even if compelled by a US court order; they'd retrieve ciphertext only.
Stripe
Sees billing-related data: your email, payment method (card on file, never the full PAN), plan, invoices, VAT ID. Stripe doesn't see your invoice content, your documents, or your customer relationships. Stripe has its own SOC 2 / PCI-DSS / GDPR posture; their privacy policy is comprehensive and worth reading if you handle large-scale payments.
Resend
Outbound: every transactional email we send goes through Resend. Receipts (forwarded to your billing email), 2FA codes (just kidding — 2FA is TOTP, no SMS, no email), 30-day inactivity reminders, tax-advisor flag notifications. Inbound: every email forwarded to your u-…@in.taxiteasy.org address hits a Resend webhook that fires our inbound handler. Email body is processed in-memory by our handler and discarded — not retained.
Sentry
Catches application errors for our engineering response. Sentry's privacy mode strips PII from error traces (we have explicit allowlists for what's safe to send to Sentry — no fields from invoices, no user content, just stack-traces and request metadata). Sentry is the most-scrutinised of our sub-processors precisely because errors can accidentally include sensitive data; we audit the rules quarterly.
Cloudflare
Sits in front of the public-facing website (taxiteasy.org) and the API (api.taxiteasy.org) for DDoS protection, WAF, and CDN. Sees HTTP request metadata (IP, user-agent, request path) for traffic to the marketing site; for application traffic, sees the encrypted bytes (TLS-terminated at Cloudflare's edge, re-encrypted to our origin). Cloudflare doesn't see decrypted application data unless the request is to a static-cached endpoint (CSS, JS, images), in which case there's no personal data anyway.
Sub-processors that are not customer-facing
These are internal-only — they don't process customer personal data:
- GitHub (source-code hosting)
- Docker Hub / DigitalOcean Container Registry (CI artefacts)
Sentry is sometimes asked about here; it's already listed above. They receive error-trace events with PII scrubbing as their primary input; we list them as customer-facing because in edge cases (a really weird error trace that slipped through PII scrubbing) they could in theory see fragments of personal data.
We don't list GitHub or Docker Hub on /subprocessors.html because they don't process personal data — our source code is not personal data, and the CI artefacts are encrypted images that don't contain customer data.
DPA (Data Processing Agreement)
A DPA is the contractual document under GDPR Article 28 that governs the data-processor relationship between you (the data controller) and us (the data processor). For TaxItEasy:
- Available on request to
[email protected]. - In-app download from
Settings → Compliance → DPA. - Public version at /dpa.html — the standalone document.
The DPA includes references to each sub-processor's own DPA (transitive coverage) so you have a single document chain from your relationship with us to each downstream processor.
Edge cases
I want a DPA. Available on request to [email protected] and as an in-app download from Settings → Compliance. See /dpa.html for the public version. Custom-modified DPAs (changes to the template to fit your legal team's preferences) are possible on enterprise contracts; for standard plans we use the public template.
My DPO is asking about the Anthropic zero-retention claim. Anthropic's commercial default applies today — up to 30 days for safety monitoring. The zero-retention addendum is in active negotiation. We will publish the executed addendum on /security.html and /subprocessors.html once signed. Until then we don't claim it. If your DPO needs the addendum in place before you can use the service, the workaround is to wait for the addendum (estimated date is uncertain — depends on Anthropic's contract pipeline) or use a non-AI-extraction workflow (which means manual data entry, which most users don't want).
What about regional providers — could you use EU-only AI? On our radar. Quality bar is the gating factor — extraction accuracy and cost competitiveness. If regional providers (Aleph Alpha, Mistral, etc.) reach parity with Anthropic for our specific use case (German + multilingual invoice extraction), we'll add them as an alternative or replacement. We won't add them for marketing reasons alone if the quality regresses.
Can I opt out of Cloudflare and connect directly to your origin? Not as a per-customer setting. Cloudflare is in front of the whole site for DDoS / WAF; bypassing it for one customer would create a parallel architecture we'd have to maintain in addition to the Cloudflare path. The Cloudflare data exposure is limited (TLS-terminated, no application data visible) so it's not usually the friction point.
You added a new sub-processor and I didn't get the 14-day notice. Check your email-notification preferences (Settings → Notifications) and the address on file. If you confirm we missed you, write to [email protected] with [GDPR] sub-processor notification missed — we'll investigate and remediate (most often a notification went to spam; rarely an address was outdated).
Can I see audit-logs of which sub-processor your system called for my specific document? Currently no per-document sub-processor trace surface to users. The audit log shows our internal actions (extraction triggered, etc.), but doesn't itemise the Anthropic / Stripe / Resend API call for each. If you need this granularity for a specific investigation, write to [email protected] — we can pull the trace from our logs within the standard GDPR 30-day window.
Related
- Where is my data stored? — the residency context
- How our encryption works — what protects data from each sub-processor
- Your GDPR rights as a user — Art. 28 context for sub-processor management
- /subprocessors.html — canonical legally-binding list
- /dpa.html — standalone DPA document