SUBPROCESSORS LIST

Subprocessors List

The Auditope Platform — operated by CAI Technology S.R.L.

Public, updatable page, under Article 28(2) GDPR and the DPA — Annex 1 of the Privacy Policy.

Version: v1.1 • Published on: 2026-05-12 • Effective from: 2026-05-12

1. Introduction

The Controller Client may raise reasoned objections to a new subprocessor, in writing, within 15 days of notification. Failing a solution, the Client may terminate the contract with a proportional refund of the unused period, under Section A1.4 of the DPA.

2. Active subprocessors

Subprocessor	Service category	Processing location	Extra-EEA transfer mechanism	Data processed	Certifications
—	Cloud hosting, databases, backup	—	—	All Platform data	ISO 27001, SOC 2
—	Hosting / DR site	—	—	Backup, disaster recovery	—
—	CDN, WAF, DDoS protection	—	—	Web traffic data, IPs, headers	ISO 27001, SOC 2
—	Transactional e-mail	—	—	E-mail address, notification content	—
—	Card payment processing	Ireland + tokens hosted by Stripe	EU adequacy decision (intra-EEA)	Card tokens, billing identification	PCI-DSS L1, ISO 27001
—	Alternative payment processing	Romania	Intra-EEA	Card tokens	PCI-DSS L1
—	E-mail marketing (with consent)	—	—	E-mail addresses of newsletter subscribers	—
—	Web analytics (IP-anonymized, no cookies recommended)	—	Intra-EEA recommended	Aggregate traffic data, anonymized IP	—
—	Help desk, ticketing, support chat	—	—	Ticket content, e-mail, conversations	—
—	LLM API for Auditope chatbot	Ireland + US processing (DPF)	DPF + SCC 2021/914 + no-training option	Prompts, conversations (no-training)	SOC 2 Type II
—	Alternative LLM API	Ireland + US processing	DPF + SCC + no-training by default	Prompts (no-training)	SOC 2 Type II
—	Self-hosted LLM (privacy-first alternative)	—	Intra-EEA (internal control)	No external transfer	CAI Technology S.R.L. internal control
—	Application monitoring, error logging	—	—	Technical logs, stack traces	—
—	Backup, disaster recovery replication	—	Intra-EEA	Encrypted database snapshots	ISO 27001
ANAF — National RO e-Factura System	Tax compliance — mandatory e-invoicing	Romania	Legal obligation — Article 6(1)(c) GDPR	Billing data, Client identification	Official state system
National Trade Registry Office (ONRC) / ANAF	CUI verification, pre-fill registration data	Romania	Official public sources	Public company data	Official state system
—	Federated Single Sign-On (SSO)	—	—	Federated authentication data	—
—	Accounting / tax services	Romania	Intra-EEA — professional confidentiality obligation	Billing data, payments, contracts	CECCAR member
—	Legal assistance	Romania	Intra-EEA — professional privilege	On request, in disputes	UNBR

3. Suppliers that are NOT subprocessors

The following suppliers are used by CAI Technology S.R.L., but do NOT process personal data, or do so strictly on their own account (independent Controller), not as GDPR subprocessors:

4. How to verify that subprocessors are up to date

Recommendation for Controller Clients who want automated verification:

RSS subscription to this page;
monthly automated check of the page hash;
check the “Last updated” field in the header.

5. Related documents

Privacy Policy (Section 5 — recipients and subprocessors)
DPA — Data Processing Agreement (Annex 1 of the Policy)
AI Notice (for AI/LLM subprocessors)
Cookie Policy (for third-party cookies)

6. Contact

CAI Technology S.R.L.

Registered office: Str. Victor Brauner 34, București, România • VAT ID: RO50512457 • Companies Register no.: J2024020380005

General e-mail: office@caitech.ro

Support: tehnic@caitech.ro

Data protection contact: dpo@caitech.ro

Security: office@caitech.ro

Specific questions about subprocessors (for example, Enterprise Clients who need additional details for a DPIA): dpo@caitech.ro.

Subprocessors list