Sub-processors / Lista sub-procesorów
Full list of entities processing data on behalf of AiSigma
Last updated: June 21, 2026
What is a sub-processor
A sub-processor is a third-party vendor that AiSigma (the data controller) engages to process personal data on your behalf — for example, to run a language model, store conversation history, or deliver email. Under GDPR Article 28(2) we are required to inform you about every such party and about the safeguards we have in place so that your data is protected to the same standard we maintain ourselves.
The table below contains the complete, current list of all sub-processors AiSigma uses in production. We update this list every time it changes — you can subscribe to notifications in the section below to be informed in advance whenever a new sub-processor is added.
Active sub-processors
| Name | Service | Location | Data accessed | Safeguards (SCCs / DPA) |
|---|---|---|---|---|
| OpenAI, Inc. | Language model API (LLM) + embeddings | USA | Message content (transient processing, no training) | Standard Contractual Clauses (SCCs) + OpenAI DPA, training opt-out (API) |
| Supabase, Inc. | Postgres database + pgvector (semantic memory) | Frankfurt (EU) — data residency; parent company in USA | Conversation content + embeddings (stored) | Supabase DPA + EU region (Frankfurt), at-rest encryption |
| Vercel, Inc. | Web hosting + serverless functions (Edge / Node) | USA + global edge POPs (incl. EU) | Request metadata (IP, User-Agent, timestamp) — no chat bodies in logs | Standard Contractual Clauses (SCCs) + Vercel DPA |
| Resend, Inc. | Transactional email delivery (contact form) | USA | Recipient email address + message body | Resend DPA, TLS in transit, limited log retention |
| GoDaddy (Titan Email) | Mailbox junior@aisigma.pro (inbound) | USA | Inbound mail to the administrator — not customer data processed under the service | N/A for customer DPA (owner-administrative mailbox) |
| Stripe, Inc. | Payment processor (when activated) | USA | Billing data (name, email, country) — no chat content | Stripe DPA + SCCs, PCI-DSS Level 1 |
- Service
- Language model API (LLM) + embeddings
- Location
- USA
- Data accessed
- Message content (transient processing, no training)
- Safeguards (SCCs / DPA)
- Standard Contractual Clauses (SCCs) + OpenAI DPA, training opt-out (API)
- Service
- Postgres database + pgvector (semantic memory)
- Location
- Frankfurt (EU) — data residency; parent company in USA
- Data accessed
- Conversation content + embeddings (stored)
- Safeguards (SCCs / DPA)
- Supabase DPA + EU region (Frankfurt), at-rest encryption
- Service
- Web hosting + serverless functions (Edge / Node)
- Location
- USA + global edge POPs (incl. EU)
- Data accessed
- Request metadata (IP, User-Agent, timestamp) — no chat bodies in logs
- Safeguards (SCCs / DPA)
- Standard Contractual Clauses (SCCs) + Vercel DPA
- Service
- Transactional email delivery (contact form)
- Location
- USA
- Data accessed
- Recipient email address + message body
- Safeguards (SCCs / DPA)
- Resend DPA, TLS in transit, limited log retention
- Service
- Mailbox junior@aisigma.pro (inbound)
- Location
- USA
- Data accessed
- Inbound mail to the administrator — not customer data processed under the service
- Safeguards (SCCs / DPA)
- N/A for customer DPA (owner-administrative mailbox)
- Service
- Payment processor (when activated)
- Location
- USA
- Data accessed
- Billing data (name, email, country) — no chat content
- Safeguards (SCCs / DPA)
- Stripe DPA + SCCs, PCI-DSS Level 1
Notify me of changes / Powiadom mnie przy zmianie
Enter your email to be notified when we add, change, or remove a sub-processor. We send change notifications only — no marketing.
After signing up, we will send a confirmation email (double opt-in). You can unsubscribe at any time.
Change log
A chronological record of every change made to the sub-processor list.
- June 21, 2026Initial publication of the sub-processor list.
Questions about this list or our DPA documentation: junior@aisigma.pro
© 2026 AiSigma