Market Intelligence

Subprocessors

Version 1 · Effective from 2026-05-15

Current version

Summary: Initial publication (AWS, Resend, PostHog).

Subprocessor List

Effective from 15 May 2026 - Version 1 Last reviewed: 15 May 2026

This list identifies the third parties that Fintum Market Intelligence GmbH ("we") engages to process personal data on behalf of our customers in the course of providing the Market Intelligence platform. It is the authoritative reference for Article 28 (2) and (4) GDPR / Section 11 of our Data Processing Agreement.

Scope

For the purposes of this list, "personal data" means Authorized User data that we process for our customers: the names, email addresses, login activity, IP addresses, support correspondence, and similar metadata of the customer's employees who access the platform. Where a third party processes only data we control under our own Privacy Policy (visitor analytics, billing-side data, etc.), it is not within the scope of this Subprocessor list and is governed by that Policy instead.

Current subprocessors

SubprocessorRoleProcessing locationCategories of personal dataTransfer mechanism
Amazon Web Services EMEA SARLCloud hosting, database (PostgreSQL/TimescaleDB), file storage, key management`eu-central-1` (Frankfurt, Germany)All Authorized User profile, authentication, session, and audit data; encrypted at rest using AWS KMS-managed keysEU – EU; no third-country transfer mechanism required. We have signed AWS's Data Processing Addendum which incorporates the EU SCCs as a fallback for any incidental US support access.
Resend, Inc.Transactional email (invitations, agreement acceptance confirmations, security alerts, MFA codes, password resets)EU (Ireland)Recipient email address and full name; the body of the message including any platform identifiers it referencesEU – EU; no third-country transfer mechanism required. We have signed Resend's Data Processing Agreement.
PostHog Inc.Product analytics and error monitoring for the Market Intelligence platform (Phase 1 scope; Customer Support Inbox is deferred to a future version of this list)EU cloud (Frankfurt, Germany)Authorized User identifier (UUID), event metadata describing platform interactions (screen, feature, period selection, etc.), redacted IP addresses, redacted error messages and stack-trace fingerprints from unhandled frontend and backend exceptions. Free-text payloads, request bodies, query strings and full stack traces are stripped before send.EU – EU; signed PostHog DPA (see https://posthog.com/dpa) incorporates the EU SCCs as a fallback for any incidental US support access.

How we choose and oversee subprocessors

Before we engage any subprocessor we conduct a documented due-diligence review covering:

  • The subprocessor's organisational and technical security controls, evidenced by a current SOC 2 Type II report, ISO 27001 certificate, or equivalent independent attestation.
  • Their data-processing locations, sub-subprocessor relationships, and applicable transfer mechanisms.
  • The data-protection terms in the contract we sign with them, which must meet the Article 28 GDPR requirements at a minimum.
  • The legal jurisdiction in which the subprocessor is established, including any cross-border-data-transfer implications under Schrems II and the GDPR's Chapter V.

We re-review each subprocessor at least annually and on any material change to their service.

Notification of changes (Art. 28 (2) GDPR)

We notify the primary administrator of every active customer of any addition or replacement of a subprocessor at least 30 calendar days in advance of the change taking effect. The notice is delivered through:

  • An update to this list at its permanent URL with an incremented version (the prior version is preserved at its versioned URL; the new version becomes the current one).
  • An email to the customer's primary admin contact summarising the change, the reason, the new subprocessor's data-processing locations, and the transfer mechanism if any.
  • An in-platform banner visible to every Company Admin of an affected customer.

Customers may object to a proposed subprocessor change on legitimate data-protection grounds. To object, write to it (at) fintum-mi.com within the 30-day notice period describing the basis of the objection. We will engage in good-faith discussion and, if no resolution is reached, the customer is entitled to terminate the affected service without penalty under the Master Subscription Agreement.

If no objection is received during the notice period, the customer is treated as having accepted the change as of the effective date.

Not currently in use

The following providers are not currently engaged as subprocessors for the Market Intelligence platform. If we add any of them in the future the addition will follow the change-notification procedure above.

  • Cloudflare (CDN, DDoS protection)
  • Google Cloud Platform
  • Stripe (billing): billing is handled offline during the pilot phase
  • Sentry (error tracking): superseded by PostHog Exceptions; see "A note on PostHog" below
  • PostHog as a Customer Support Inbox tool, see "A note on PostHog" below
  • Any third-party advertising-network provider: never expected to be added; if it ever changed it would be a substantive change to our business model

A note on PostHog

PostHog Inc. is engaged for two distinct activities, which we treat as separate disclosure events:

  1. Product analytics and error monitoring (this version, Version 1). PostHog processes Authorized User identifiers, event metadata describing how users navigate the platform, redacted IP addresses, and redacted error / exception payloads. This activity is what the row above governs.
  2. Customer Support Inbox (not yet active; planned Phase 2, see PLAN_POSTHOG_INTEGRATION.md and PLAN_POSTHOG_04_CUSTOMER_SUPPORT.md). When activated, this will introduce processing of additional categories (the contents of support tickets and replies). Activation will be staged behind a fresh version of this list, communicated through the 30-day notification flow above, and gated on the new notice period elapsing without unresolved objection.

Customer support tooling

The Master Subscription Agreement gives us latitude to engage third-party tools to triage and respond to customer inquiries. The list of tools we currently use for that purpose is reflected in this Subprocessor list. There is no separate, hidden tool that processes Authorized User data outside what is named here. If a customer asks for confirmation in writing of the exact set of tools we use, we provide it through it (at) fintum-mi.com.

Contact

Questions about this list, requests for evidence of due-diligence reviews, or copies of the Data Processing Agreements we hold with the subprocessors named above can be directed to it (at) fintum-mi.com.