Sub-Processor List
Approved sub-processors for the Aldric platform pursuant to Art. 28 GDPR
Note: This is a convenience translation. In case of discrepancies, the German version shall prevail.
Version 1.0 — As of: March 2026
Data Controller: CONPORT Services GmbH, Alte Benninghofer Str. 24, 44263 Dortmund, Germany, Managing Director: Benjamin Schowe
1. Introduction
This page contains the current list of approved sub-processors engaged by CONPORT Services GmbH in the course of providing the Aldric SaaS platform. This list is maintained pursuant to Art. 28 GDPR and the provisions set out in Section 5 of the Data Processing Agreement (DPA).
As a data processor, CONPORT Services GmbH ensures that all sub-processors engaged are subject to the same data protection obligations as set out in the DPA (Art. 28(4) GDPR). CONPORT Services GmbH remains liable to the Controller for the sub-processors' compliance with these obligations.
2. Change and Objection Process
Customers of the Aldric platform will be informed of any intended addition or replacement of a sub-processor at least 30 days in advance. Notification will be sent by email to the administrator address registered in the customer account and by updating this page.
Customers may raise a justified objection within 14 days of receiving the notification. Objections must be submitted in writing to datenschutz@conport.services. If a customer raises a justified objection, the parties shall seek an amicable solution. If this is not possible, the customer shall have a special right of termination effective as of the date of the planned change.
3. Current Sub-Processors
| Provider | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. 510 Townsend St, San Francisco, CA 94103, USA | Payment processing (subscriptions, invoices, refunds) | Name, email address, payment data (credit card number encrypted), billing address | USA / EU | EU-US Data Privacy Framework (adequacy decision of July 10, 2023), Standard Contractual Clauses (SCCs) |
| Plausible Insights OU Vana-Mustamae tee 50, 10621 Tallinn, Estonia | Website analytics (privacy-friendly usage statistics for the marketing website) | Anonymized usage data (no personal data, no cookies) |
EU (Estonia) Servers: Hetzner, DE | EU-based, GDPR compliant, no personal data processed, no cookies, no cross-site tracking |
| Hetzner Online GmbH Industriestr. 25, 91710 Gunzenhausen, Germany Placeholder — confirmation pending | Server infrastructure, data storage, platform hosting | All platform data (stored encrypted) | Germany / EU | ISO 27001 certified, GDPR compliant, data centers exclusively in Germany / Finland |
| DocuSign, Inc. 221 Main Street, Suite 1000, San Francisco, CA 94105, USA Only when integration is enabled | Electronic signatures for documents and contracts | Document contents, name and email address of signatories, signature metadata | USA / EU | EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), ISO 27001 |
| [Email Service Provider] To be added once decided — see Issue #388 | Transactional emails (notifications, password resets, reports) | Recipient email addresses, system notification content | To be added | To be added |
Note on placeholders: Hetzner is listed as the provisional hosting provider and will be replaced or confirmed by the final provider before production launch. The email service provider will be added following an internal decision (Issue #388). Customers will be notified in accordance with Section 2.
4. Services Not Considered Sub-Processors
The following services used as part of the platform infrastructure are not considered sub-processors under the GDPR, as they do not have access to personal data belonging to platform customers:
- Keycloak (identity provider — runs as a self-hosted instance within our own infrastructure)
- Redis (in-memory cache — no persistent personal data)
- Internal monitoring and alerting services without access to personal data
5. Third-Country Transfers
CONPORT Services GmbH processes personal data primarily within the EU/EEA. Transfers to third countries (in particular the USA) only take place where an adequacy decision by the European Commission (Art. 45 GDPR) or appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses) are in place.
Currently affected: Stripe, Inc. and DocuSign, Inc. (USA) — both on the basis of the EU-US Data Privacy Framework and additional SCCs.
6. Further Information
- Data Processing Agreement (DPA) — sub-processing provisions in Section 5
- Privacy Policy of the Aldric website
- Aldric App Privacy Policy
For questions regarding sub-processing, please contact:
CONPORT Services GmbH — Data Protection
Email: datenschutz@conport.services
Change History
| Version | Date | Change |
|---|---|---|
| 1.0 | March 2026 | Initial publication with first sub-processor list |
This list is updated whenever there are changes to the sub-processors engaged. Customers are informed at least 30 days in advance in accordance with Section 2.