When this article matters
You're doing a vendor security review of TaxItEasy and need the sub-processor list with locations, purposes, and transfer mechanisms. Or you're trying to understand which third parties see your data and under what conditions. This article is the human-readable summary; the canonical legally-binding list with per-provider details lives at /subprocessors.html.
For the broader data-residency context (where your data lives at rest), see where is my data stored. For the encryption that protects data from each sub-processor where applicable, see how our encryption works in plain English.
The eight sub-processors
| Provider | Purpose | Location | Transfer mechanism | What they see |
|---|---|---|---|---|
| DigitalOcean | Compute (Kubernetes), database (PostgreSQL), object storage (Spaces) | Frankfurt (FRA1), EU | SCCs (US-incorporated provider, EU data residency contractually guaranteed) | Encrypted data at rest; metadata in plaintext (email, timestamps, account state) |
| Anthropic | AI extraction (Claude API) + website-assistant answers | United States | EU-US DPF + SCCs | Document content during the few-second extraction window; not your account metadata or relationships |
| Mistral AI | Text embeddings for the public website assistant (chatbot) | France, EU | EU provider; processing configured within the EU | Messages typed into the public website assistant; no account, document, banking, or tax data |
| Resend | Outbound transactional email (receipts, notifications) | United States | SCCs | Email-channel events for mail we send: subject, sender, recipient, notification content |
| MailPace (OhMySMTP Ltd) | Inbound email receiving — your u-…@in.taxiteasy.org forwarding address |
UK company; email data hosted in France (EU), backups in Germany (EU) | UK adequacy decision; primary hosting in the EU | Forwarded emails in transit (metadata, body, attachments). MailPace retains received emails for up to 35 days per its DPA. On our side, email bodies are processed and discarded — not retained; only extracted attachments are stored. |
| Stripe | Payments + invoicing | United States | EU-US DPF + SCCs | Billing email, payment method, plan, invoice line items, VAT ID (if you provide one) |
| Sentry | Error monitoring with PII scrubbing | United States | EU-US DPF + SCCs | Error traces and request metadata with explicit PII scrubbing — no document content or invoice data |
| Cloudflare | CDN / DDoS / WAF in front of the marketing website | Global edge with EU presence | EU-US DPF + SCCs | HTTP metadata (IP, user-agent, request path) for traffic to the marketing site; not application data |
That's the entire list as of 2026-07. We don't have other customer-facing sub-processors.
Where the canonical list lives
/subprocessors.html — full per-provider table with: purpose, what data is processed, location, transfer mechanism, and the change-log of additions and removals. That page is the legally-binding source of truth; we always update it before we add or change a sub-processor.
This help article is a friendlier summary; the legal document is the canonical /subprocessors.html.
Customer notification before changes
We notify all customers at least 30 days before adding a new sub-processor or replacing an existing one (DPA Section 4.3). The notice goes via two channels:
- Email to the Owner of every account (the user with the Owner role on the company)
- An entry in the Sub-processors change log on the /subprocessors.html page
You then have 14 days from the notification to object. If you object, we discuss options — most commonly: opt out of the specific feature that requires the new sub-processor (e.g. opt out of OCR if you object to the AI sub-processor). For some sub-processor changes, opt-out isn't viable (a payment-processor change can't be opted out of and keep paying); in those cases the only options are to accept the change or terminate the subscription.
GDPR Article 28 itself prescribes no specific day count — it requires that you get the opportunity to object. The 30-day notice and 14-day objection window are the contractual commitments in Section 4.3 of our DPA; we'd extend them for material changes where users genuinely need longer to evaluate.
What's special about Anthropic
The AI extraction step is the one place your document content leaves the EU. The trade-offs are worth knowing:
What goes to Anthropic:
- The document content (PDF text, OCR'd image text, or image bytes if no extractable text exists in the source).
- For a few seconds — the API call is synchronous from our backend's perspective; the document content is sent, processed, structured fields are returned, and our backend writes the result back.
What does NOT go to Anthropic:
- Your email address
- Your account metadata (creation date, subscription state, plan)
- Your bank-transaction history
- Your tax-advisor relationships
- Your name (unless it happens to appear on the invoice itself, which is the document content)
- The list of other documents in your account
Retention at Anthropic:
- Currently: follows Anthropic's commercial API default — up to 30 days for safety monitoring, then deleted from Anthropic's side.
- In negotiation: a contractual zero-retention addendum with Anthropic. Once signed, document content is dropped immediately at Anthropic's side with no monitoring retention. We will publish the executed addendum on /security.html and /subprocessors.html once it's signed. Until then, we deliberately don't claim it.
Transfer mechanism:
- EU-US Data Privacy Framework (DPF, July 2023) — Anthropic is on the DPF participants list.
- Standard Contractual Clauses (SCCs) as the backup mechanism, also signed.
Can you opt out of Anthropic? If you object to the AI sub-processor, currently you cannot fully opt out and keep using TaxItEasy — the AI extraction is core to the product. On-premise / EU-only AI variants are not on the immediate roadmap. The closest opt-out is "stop uploading documents" (which keeps the rest of the service functional but without the central feature).
What's special about each of the others
DigitalOcean
US-incorporated company with EU infrastructure. Your data physically resides in Frankfurt and is contractually guaranteed not to leave the EU at rest. The CLOUD-Act exposure is mitigated by our application-layer envelope encryption — DigitalOcean's staff cannot read your data even if compelled by a US court order; they'd retrieve ciphertext only.
Stripe
Sees billing-related data: your email, payment method (card on file, never the full PAN), plan, invoices, VAT ID. Stripe doesn't see your invoice content, your documents, or your customer relationships. Stripe has its own SOC 2 / PCI-DSS / GDPR posture; their privacy policy is comprehensive and worth reading if you handle large-scale payments.
Resend
Outbound only: every transactional email we send goes through Resend. Receipts (forwarded to your billing email), 2FA codes (just kidding — 2FA is TOTP, no SMS, no email), password-reset links, tax-advisor flag notifications. Resend no longer handles the inbound forwarding path — that moved to MailPace (see below).
MailPace
Inbound only: every email forwarded to your u-…@in.taxiteasy.org address is received by MailPace and delivered to our inbound webhook. Each delivery is cryptographically signed by MailPace and our handler verifies the signature before processing anything — unsigned or invalid deliveries are rejected. The email body is processed in-memory by our handler and discarded — not retained; only the extracted attachments are stored in your account. MailPace itself (legal entity: OhMySMTP Ltd, a UK company) retains received emails for up to 35 days per its DPA. Its email data is hosted in France with backups in Germany, so the message content stays in the EU; the UK entity is covered by the European Commission's UK adequacy decision.
Mistral AI
Generates text embeddings of public website-assistant (chatbot) messages and our knowledge-base content so the assistant can retrieve relevant help articles. Located in France — an EU provider; we configure processing within the EU. The website assistant is unauthenticated and has no access to Customer Data: no account, document, banking, or tax data is ever sent to Mistral.
Sentry
Catches application errors for our engineering response. Sentry's privacy mode strips PII from error traces (we have explicit allowlists for what's safe to send to Sentry — no fields from invoices, no user content, just stack-traces and request metadata). Sentry is the most-scrutinised of our sub-processors precisely because errors can accidentally include sensitive data; we audit the rules quarterly.
Cloudflare
Sits in front of the public-facing marketing website (taxiteasy.org) for DDoS protection, WAF, and CDN. Sees HTTP request metadata (IP, user-agent, request path) for traffic to the marketing site. The app (app.taxiteasy.org) and the API (api.taxiteasy.org) do not route through Cloudflare — application traffic goes directly to our origin in Frankfurt, so Cloudflare never sees application data.
Sub-processors that are not customer-facing
These are internal-only — they don't process customer personal data:
- GitHub (source-code hosting)
- Docker Hub / DigitalOcean Container Registry (CI artefacts)
Sentry is sometimes asked about here; it's already listed above. They receive error-trace events with PII scrubbing as their primary input; we list them as customer-facing because in edge cases (a really weird error trace that slipped through PII scrubbing) they could in theory see fragments of personal data.
We don't list GitHub or Docker Hub on /subprocessors.html because they don't process personal data — our source code is not personal data, and the CI artefacts are encrypted images that don't contain customer data.
DPA (Data Processing Agreement)
A DPA is the contractual document under GDPR Article 28 that governs the data-processor relationship between you (the data controller) and us (the data processor). For TaxItEasy:
- Available on request to
[email protected]. - Public version at /dpa.html — the standalone document.
The DPA's Annex 3 lists each authorized sub-processor with its location and transfer mechanism, and we impose equivalent data-protection obligations on every sub-processor by written contract (DPA Section 4.4) — so you have a single document chain from your relationship with us to each downstream processor.
Edge cases
I want a DPA. Available on request to [email protected]; the public version is at /dpa.html. We use the standard public template — if your legal team has specific requirements, write to [email protected].
My DPO is asking about the Anthropic zero-retention claim. Anthropic's commercial default applies today — up to 30 days for safety monitoring. The zero-retention addendum is in active negotiation. We will publish the executed addendum on /security.html and /subprocessors.html once signed. Until then we don't claim it. If your DPO needs the addendum in place before you can use the service, the workaround is to wait for the addendum (estimated date is uncertain — depends on Anthropic's contract pipeline) or use a non-AI-extraction workflow (which means manual data entry, which most users don't want).
What about regional providers — could you use EU-only AI? On our radar. Quality bar is the gating factor — extraction accuracy and cost competitiveness. If regional providers (Aleph Alpha, Mistral, etc.) reach parity with Anthropic for our specific use case (German + multilingual invoice extraction), we'll add them as an alternative or replacement. We won't add them for marketing reasons alone if the quality regresses.
Can I opt out of Cloudflare and connect directly to your origin? Not as a per-customer setting. Cloudflare is in front of the public marketing website for DDoS / WAF; bypassing it for one visitor would create a parallel architecture we'd have to maintain in addition to the Cloudflare path. The Cloudflare data exposure is limited (HTTP metadata for the marketing site only — the app and API don't route through Cloudflare) so it's not usually the friction point.
You added a new sub-processor and I didn't get the 30-day notice. Check your email-notification preferences (Settings → Notifications) and the address on file. If you confirm we missed you, write to [email protected] with [GDPR] sub-processor notification missed — we'll investigate and remediate (most often a notification went to spam; rarely an address was outdated).
Can I see audit-logs of which sub-processor your system called for my specific document? Currently no per-document sub-processor trace surface to users. The audit log shows our internal actions (extraction triggered, etc.), but doesn't itemise the Anthropic / Stripe / Resend / MailPace call for each. If you need this granularity for a specific investigation, write to [email protected] — we can pull the trace from our logs within the standard GDPR 30-day window.
Related
- Where is my data stored? — the residency context
- How our encryption works — what protects data from each sub-processor
- Your GDPR rights as a user — Art. 28 context for sub-processor management
- /subprocessors.html — canonical legally-binding list
- /dpa.html — standalone DPA document