Market Intelligence

Subprocessors

Version 1 · Effective from 2026-05-01

Current version

Summary: Initial publication.

DRAFT — for demo and vendor-risk-review purposes only. This document has not yet been reviewed by counsel. Final wording will be substituted before pilot launch. Do not rely on this draft for any binding commercial decision.

Subprocessor List

Effective from 1 May 2026 — Version 1 Last reviewed: 28 April 2026

This list identifies the third parties that Fintum Market Intelligence GmbH ("we") engages to process personal data on behalf of our customers in the course of providing the Market Intelligence platform. It is the authoritative reference for Article 28 (2) and (4) GDPR / Section 11 of our Data Processing Agreement.

Scope

For the purposes of this list, "personal data" means Authorized User data that we process for our customers — the names, email addresses, login activity, IP addresses, support correspondence, and similar metadata of the customer's employees who access the platform. Where a third party processes only data we control under our own Privacy Policy (visitor analytics, billing-side data, etc.), it is not within the scope of this Subprocessor list and is governed by that Policy instead.

The el-fondo consumer application has its own subprocessor disclosures published with that product. Subprocessors involved exclusively in el-fondo (for example consumer-side analytics) are not within the scope of this list.

Current subprocessors

SubprocessorRoleProcessing locationCategories of personal dataTransfer mechanism
Amazon Web Services EMEA SARLCloud hosting, database (PostgreSQL/TimescaleDB), file storage, key management`eu-central-1` (Frankfurt, Germany)All Authorized User profile, authentication, session, and audit data; encrypted at rest using AWS KMS-managed keysEU – EU; no third-country transfer mechanism required. We have signed AWS's Data Processing Addendum which incorporates the EU SCCs as a fallback for any incidental US support access.
Resend, Inc.Transactional email (invitations, agreement acceptance confirmations, security alerts, MFA codes, password resets)EU (Ireland)Recipient email address and full name; the body of the message including any platform identifiers it referencesEU – EU; no third-country transfer mechanism required. We have signed Resend's Data Processing Agreement.

How we choose and oversee subprocessors

Before we engage any subprocessor we conduct a documented due-diligence review covering:

  • The subprocessor's organisational and technical security controls, evidenced by a current SOC 2 Type II report, ISO 27001 certificate, or equivalent independent attestation.
  • Their data-processing locations, sub-subprocessor relationships, and applicable transfer mechanisms.
  • The data-protection terms in the contract we sign with them, which must meet the Article 28 GDPR requirements at a minimum.
  • The legal jurisdiction in which the subprocessor is established, including any cross-border-data-transfer implications under Schrems II and the GDPR's Chapter V.

We re-review each subprocessor at least annually and on any material change to their service.

Notification of changes (Art. 28 (2) GDPR)

We notify the primary administrator of every active customer of any addition or replacement of a subprocessor at least 30 calendar days in advance of the change taking effect. The notice is delivered through:

  • An update to this list at its permanent URL with an incremented version (the version you are reading is preserved at `/legal/subprocessors/v1`; the new version becomes the current one).
  • An email to the customer's primary admin contact summarising the change, the reason, the new subprocessor's data-processing locations, and the transfer mechanism if any.
  • An in-platform banner visible to every Company Admin of an affected customer.

Customers may object to a proposed subprocessor change on legitimate data-protection grounds. To object, write to privacy (at) fintum-mi.com within the 30-day notice period describing the basis of the objection. We will engage in good-faith discussion and, if no resolution is reached, the customer is entitled to terminate the affected service without penalty under the Master Subscription Agreement.

If no objection is received during the notice period, the customer is treated as having accepted the change as of the effective date.

Not currently in use

The following providers are not currently engaged as subprocessors for the Market Intelligence platform. If we add any of them in the future the addition will follow the change-notification procedure above.

  • Cloudflare (CDN, DDoS protection)
  • Google Cloud Platform
  • Stripe (billing) — billing is handled offline during the pilot phase
  • Sentry (error tracking)
  • PostHog as a Customer Support tool — see "Customer support tooling" below
  • Any third-party advertising-network provider — never expected to be added; if it ever changed it would be a substantive change to our business model

A note on PostHog

PostHog is the panel-tracking provider for the el-fondo consumer application and processes the consumer-side data described in el-fondo's own privacy disclosures. It does not currently process Market Intelligence Authorized User personal data and is therefore not a subprocessor for the purposes of this list.

If we activate PostHog's customer-support module to triage Market Intelligence support inquiries — a planned but not-yet-active feature — PostHog will at that point process Authorized User personal data (the contents of support tickets, the email and name of the requester). At that moment we will list PostHog here, communicate the change through the 30-day notification flow above, and stage the activation only after the notice period elapses.

Customer support tooling

The Master Subscription Agreement gives us latitude to engage third-party tools to triage and respond to customer inquiries. The list of tools we currently use for that purpose is reflected in this Subprocessor list — there is no separate, hidden tool that processes Authorized User data outside what is named here. If a customer asks for confirmation in writing of the exact set of tools we use, we provide it through privacy (at) fintum-mi.com.

Contact

Questions about this list, requests for evidence of due-diligence reviews, or copies of the Data Processing Agreements we hold with the subprocessors named above can be directed to privacy (at) fintum-mi.com.