Loading...
Loading...
Transparency on third-party providers that process personal data on behalf of Gitogi Srl, pursuant to Art. 28(2) of Regulation (EU) 2016/679.
This document is drafted in Italian. The English version is provided for informational purposes only: in case of discrepancy, the Italian text shall prevail.
Last updated: 12 April 2026
Pursuant to Art. 28(2) of Regulation (EU) 2016/679 (GDPR), Gitogi Srl, acting as data controller and/or data processor, publishes and maintains this list of sub-processors to which it entrusts specific personal data processing activities. Each sub-processor operates under a Data Processing Agreement (DPA) compliant with Art. 28 GDPR and, where applicable, in compliance with the safeguards for international data transfers set out in Arts. 44-49 GDPR.
| Name | Legal entity | Processing purpose | Data processed | Location / Data residency | Transfer mechanism | Consent-gated | DPA link |
|---|---|---|---|---|---|---|---|
| Supabase | Supabase Inc. | Database, authentication, storage | All stored personal data (accounts, profiles, progress, consents) | EU (eu-central-1, Frankfurt) | N/A (dati in EU) | No | DPA |
| Stripe | Stripe Inc. | Payment and subscription processing | Email, name, billing data, payment methods | USA / EU | EU-US DPF + SCCs | No | DPA |
| Anthropic | Anthropic PBC | AI Chat (Claude Sonnet 4 — primary provider) | Chat messages, extracted lead signals | USA | EU-US DPF + SCCs | Yes | DPA |
| OpenAI | OpenAI LLC | AI Chat fallback (GPT-4o-mini), embeddings (text-embedding-3-small), batch validation | Chat messages, document chunks for RAG | USA | EU-US DPF + SCCs | Yes | DPA |
| Resend | Resend Inc. | Transactional email delivery and notifications | Email addresses, email content, delivery status | USA | EU-US DPF | No | DPA |
| Upstash | Upstash Inc. | Rate limiting (Redis) | Rate limit keys (hashed IPs), ephemeral data with TTL | EU | N/A (dati in EU) | No | DPA |
| PostHog | PostHog Inc. | Product analytics and user behavior analysis | Session data, interaction events, user properties | EU Cloud (eu.posthog.com) | N/A (EU Cloud) | Yes | DPA |
| Google LLC | Analytics (GA4), reCAPTCHA Enterprise, Google Workspace | Session data, IP, device fingerprint, navigation events | USA / EU | EU-US DPF + SCCs | Yes | DPA | |
| Sentry | Functional Software Inc. | Error tracking and session replay | Error context, stack traces, masked session data | USA | EU-US DPF | Yes | DPA |
| Perplexity | Perplexity AI Inc. | Web search for Knowledge Base Brain (optional) | Search queries (no personal data sent) | USA | EU-US DPF | No | DPA |
| Google AI | Google LLC | Long-context document cross-referencing (optional) | Document summaries (no personal data sent) | USA / EU | EU-US DPF + SCCs | No | DPA |
| AWS | Amazon Web Services Inc. | Cloud hosting (AWS Amplify — frontend, SSR, CDN) | All data in transit (HTTP requests, headers, CDN logs) | EU (eu-west-1, Ireland) | N/A (dati in EU) | No | DPA |
| Aruba | Aruba SpA | Cloud hosting (Aegis), electronic invoicing and digital preservation | Aegis client data (in-memory processing), electronic invoices, fiscal data | Italia | N/A (dati in Italia) | No | DPA |
| Microsoft / Azure | Microsoft Corporation | Cloud infrastructure (Aegis) | Aegis client data (in-memory processing) | EU (Ireland) | N/A (dati in EU) | No | DPA |
| Browserless | Browserless.io | JS-rendered scraping for regulatory monitoring (optional, no personal data) | URLs of public normative websites (no personal data sent) | USA | EU-US DPF | No | DPA |
In accordance with our contractual obligations and Art. 28(2) GDPR, Gitogi Srl notifies active clients by email of any changes to this list at least 30 (thirty) days before the new sub-processor becomes active. During this period, the client has the right to object to the change. In the absence of written objection within the specified deadline, the change shall be deemed accepted. The updated list is always available on this page.
Transfers of personal data to third countries are carried out exclusively on the basis of appropriate safeguards pursuant to Arts. 44-49 GDPR. The main mechanisms used are: (a) EU-US Data Privacy Framework (DPF) — European Commission adequacy decision of 10 July 2023 pursuant to Art. 45 GDPR; (b) Standard Contractual Clauses (SCCs) — standard contractual clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, in the updated version (Decision 2021/914); (c) EU-resident processing — where the sub-processor guarantees data residency within the European Economic Area, no international transfer occurs.
For any questions regarding sub-processors or to exercise your right to object, please contact our privacy team: privacy@gitogi.com.
See also: Privacy Policy · Data Processing Agreement · Security Measures