Sub-Processor List — Gitogi Srl

This document is drafted in Italian. The English version is provided for informational purposes only: in case of discrepancy, the Italian text shall prevail.

Last updated: 20 April 2026

Pursuant to Art. 28(2) of Regulation (EU) 2016/679 (GDPR), Gitogi Srl, acting as data controller and/or data processor, publishes and maintains this list of sub-processors to which it entrusts specific personal data processing activities. Each sub-processor operates under a Data Processing Agreement (DPA) compliant with Art. 28 GDPR and, where applicable, in compliance with the safeguards for international data transfers set out in Arts. 44-49 GDPR.

Name	Legal entity	Processing purpose	Data processed	Location / Data residency	Transfer mechanism	Consent-gated	DPA link
Supabase	Supabase Inc.	Database, authentication, storage	All stored personal data (accounts, profiles, progress, consents)	EU (eu-central-1, Frankfurt)	N/A (dati in EU)	No	DPA
Stripe	Stripe Inc.	Payment and subscription processing	Email, name, billing data, payment methods	USA / EU	EU-US DPF + SCCs	No	DPA
Stripe (UK customers — GBP) Conditional	Stripe Payments UK, Ltd. [LEGAL REVIEW PENDING]	Payment and subscription processing for UK customers in GBP — DEFERRED v1.1 (UK descoped from v1.0 on 2026-04-27)[NOT ACTIVE IN v1.0 — DEFERRED v1.1] Sub-processor not active. v1.0 commercial scope is Italy-only, EUR-only (decision 2026-04-27 — see `docs/COMPLETION_PLAN_v1_0.md` §1). No UK customer data flows through this sub-processor. Will activate only upon UK launch opening (v1.1) after: (a) UK counsel review on legal entity and DPA, (b) `currency: 'gbp'` enablement in `src/lib/stripe/checkout.ts`, (c) addition of UK-specific clauses to legal docs (Privacy Policy UK GDPR, Cookie Policy PECR, ToS Consumer Rights Act 2015). Kept in the registry as a transparent placeholder of the v1.1 roadmap.	No data in v1.0. In v1.1, if activated: email, name, UK billing data, payment methods (GBP cards, Bacs Direct Debit where enabled)	UK (London) [LEGAL REVIEW PENDING — confirm Stripe Payments UK, Ltd. data residency vs onward transfer to Stripe Inc. USA]	[v1.1 only] UK adequacy decision (EU→UK, in vigore 28 giugno 2021) per dati provenienti da clienti EU; UK IDTA + UK-US Data Bridge (in vigore 12 ottobre 2023) per onward transfer verso Stripe Inc. USA. [LEGAL REVIEW PENDING — confirm IDTA vs SCC choice + Data Bridge applicability]	No	DPA
Amazon Web Services (Bedrock)	Amazon Web Services EMEA SARL (Lussemburgo)	Primary AI chat (Claude Opus/Sonnet/Haiku) and intra-Bedrock fallback (Mistral Large) via AWS Bedrock with cross-region EU inference profile	User chat messages, deliverable generation prompts, KB analysis document chunks, extracted lead signals	EU (eu-south-1 Milano primario; cross-region EU: eu-central-1 Frankfurt, eu-west-1 Ireland, eu-west-3 Paris)	N/A (dati residenti UE); AWS EMEA SARL è entità europea, AWS Inc. USA-parent (CLOUD Act residuo mitigato da EUDB + Bedrock regional guarantees)	Yes	DPA
Mistral AI (La Plateforme) EU-sovereign	Mistral AI SAS (Parigi, Francia)	EU-sovereign cross-cloud AI fallback — Layer 3 of resilience stack. Active only when AWS Bedrock EU is fully unavailable.	User chat messages and generation prompts during catastrophic AWS Bedrock EU outage	EU (Parigi, Francia — infrastruttura propria Mistral AI SAS)	N/A (società francese, infrastruttura in UE, nessun trasferimento extra-UE, nessuna esposizione US CLOUD Act)	Yes	DPA
Anthropic (API diretta) Conditional	Anthropic PBC	Extra-EU AI chat fallback — disabled by default. Admin-enabled only for dev/staging scenarios or with supplementary DPIA.CONDITIONAL sub-processor: by default the anthropic-direct layer is DISABLED and with 'Hard fail' active it is skipped regardless. User data does not flow to Anthropic USA unless admin explicitly enables it with documented DPIA.	Chat messages (only if admin explicitly enables the anthropic-direct layer in admin AI Stack UI)	USA	EU-US DPF + SCCs	Yes	DPA
OpenAI (API diretta) Conditional	OpenAI LLC	RAG embeddings (text-embedding-3-small, 1536 dim) + conditional extra-EU chat fallbackCurrent use: ONLY embeddings of public editorial content (blog, guides). openai-direct chat layer DISABLED by default. Migration to Amazon Titan Embed v2 (Bedrock EU) planned — will eliminate this residual use.	Public KB document chunks (no personal data); chat messages only if openai-direct layer enabled by admin	USA	EU-US DPF + SCCs	Yes	DPA
Resend	Resend Inc.	Transactional email delivery and notifications	Email addresses, email content, delivery status	USA	EU-US DPF	No	DPA
Upstash	Upstash Inc.	Rate limiting (Redis)	Rate limit keys (hashed IPs), ephemeral data with TTL	EU	N/A (dati in EU)	No	DPA
PostHog	PostHog Inc.	Product analytics and user behavior analysis	Session data, interaction events, user properties	EU Cloud (eu.posthog.com)	N/A (EU Cloud)	Yes	DPA
Google	Google LLC	Analytics (GA4), reCAPTCHA Enterprise, Google Workspace	Session data, IP, device fingerprint, navigation events	USA / EU	EU-US DPF + SCCs	Yes	DPA
Sentry	Functional Software Inc.	Error tracking and session replay	Error context, stack traces, masked session data	USA	EU-US DPF	Yes	DPA
Perplexity	Perplexity AI Inc.	Web search for Knowledge Base Brain (optional)	Search queries (no personal data sent)	USA	EU-US DPF	No	DPA
Google AI (Gemini API) Conditional	Google LLC	Long-context document cross-referencing (deprecated — replaced by Bedrock Sonnet 4.6 200K ctx)LEGACY sub-processor: used only if admin config sets AI_PROVIDER=anthropic (pre-Bedrock mode). Not active in current production.	Summaries of public regulatory documents (no personal data sent)	USA / EU	EU-US DPF + SCCs	No	DPA
Vercel	Vercel Inc.	Web application hosting (Next.js SSR), edge functions, global CDN, cron scheduler	All data in transit (HTTP requests, headers, serverless function logs, CDN logs)	EU (fra1, Frankfurt) — region pinned via vercel.json	EU-US DPF + SCCs (Vercel Inc. è società USA con dati residenti UE)	No	DPA
Aruba	Aruba SpA	Cloud hosting (Aegis), electronic invoicing and digital preservation	Aegis client data (in-memory processing), electronic invoices, fiscal data	Italia	N/A (dati in Italia)	No	DPA
Microsoft / Azure	Microsoft Corporation	Cloud infrastructure (Aegis)	Aegis client data (in-memory processing)	EU (Ireland)	N/A (dati in EU)	No	DPA
Browserless	Browserless.io	JS-rendered scraping for regulatory monitoring (optional, no personal data)	URLs of public normative websites (no personal data sent)	USA	EU-US DPF	No	DPA

Change notification process

In accordance with our contractual obligations and Art. 28(2) GDPR, Gitogi Srl notifies active clients by email of any changes to this list at least 30 (thirty) days before the new sub-processor becomes active. During this period, the client has the right to object to the change. In the absence of written objection within the specified deadline, the change shall be deemed accepted. The updated list is always available on this page.

International transfer mechanisms

Transfers of personal data to third countries are carried out exclusively on the basis of appropriate safeguards pursuant to Arts. 44-49 GDPR. The main mechanisms used are: (a) EU-US Data Privacy Framework (DPF) — European Commission adequacy decision of 10 July 2023 pursuant to Art. 45 GDPR; (b) Standard Contractual Clauses (SCCs) — standard contractual clauses adopted by the European Commission pursuant to Art. 46(2)(c) GDPR, in the updated version (Decision 2021/914); (c) EU-resident processing — where the sub-processor guarantees data residency within the European Economic Area, no international transfer occurs.

Contact

For any questions regarding sub-processors or to exercise your right to object, please contact our privacy team: privacy@gitogi.com.

Name

Legal entity

Processing purpose

Data processed

Location / Data residency

Transfer mechanism

Consent-gated

DPA link

Supabase

Supabase Inc.

Database, authentication, storage

All stored personal data (accounts, profiles, progress, consents)

EU (eu-central-1, Frankfurt)

N/A (dati in EU)