This page lists the sub-processors engaged by for the provision of the nocert.io Service, in accordance with Article 28 of the GDPR and the Data Processing Agreement at /dpa. The current version and the version history are maintained below. Paid Customers are individually notified by email and through the platform at least 30 days before the addition or replacement of a sub-processor takes effect. The objection mechanism is described in Section 8 of the DPA.
Hosting and edge infrastructure
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| OVHcloud SAS (France) | Cloud hosting of the Service and Customer Personal Data | France (EEA) | None (EEA) |
| Cloudflare, Inc. (USA) and Cloudflare Ireland Limited (Ireland) | Edge delivery, WAF, DDoS protection (does not store application data) | EEA edge with US headquarters | EU SCCs Module 3 + DPF |
Payment and invoicing
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe Ltd. (Ireland) and Stripe, Inc. (USA) | Payment processing | Ireland (EEA) and USA | EU SCCs Module 2 + DPF |
| Tiime SAS (France) | E-invoicing — Plateforme Agréée officially certified by DGFiP | France (EEA) | None (EEA) |
Email infrastructure
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC / Google Ireland Limited — Google Workspace | Business email (inbound and outbound correspondence, including support) | Ireland (EEA) with US infrastructure | EU SCCs Module 3 + DPF |
| Mailgun Technologies, Inc. / Sinch | Transactional outbound email (alerts, notifications, operational emails) | EU region (api.eu.mailgun.net) | EU SCCs Module 3 + DPF |
| Amazon Web Services EMEA SARL / Amazon Web Services, Inc. — Amazon SES | Transactional outbound email fallback | EU region (eu-west-1 / eu-central-1) | EU SCCs Module 3 + DPF |
Sub-sub-processors
Each of the sub-processors listed above may itself engage further sub-processors with access to Customer Personal Data. Upon reasonable written request to [email protected], nocert provides the list of such further sub-processors to the extent that the information is publicly available or obtainable by nocert under its contract with the relevant sub-processor. This commitment implements EDPB Opinion 22/2024 on the obligations of controllers and processors regarding sub-processors and Section 8 of the Data Processing Agreement.
Version history
April 2026 — Initial list
First publication of the sub-processor list, contemporaneous with the entry into force of the Data Processing Agreement. Initial sub-processors:
- Hosting and edge infrastructure: OVHcloud SAS; Cloudflare, Inc. / Cloudflare Ireland Limited.
- Payment and invoicing: Stripe Payments Europe Ltd. / Stripe, Inc.; Tiime SAS.
- Email infrastructure: Google LLC / Google Ireland Limited (Google Workspace); Mailgun Technologies, Inc. / Sinch; Amazon Web Services EMEA SARL / Amazon Web Services, Inc. (Amazon SES).
Notifications
Paid Customers receive notifications of any addition or replacement of a sub-processor automatically, by email at the address registered on their account and through the in-platform notification system, at least 30 days before the change takes effect. You may also contact [email protected] to be added to the sub-processor change notification list.