Current sub-processors
All sub-processors listed below have signed a Data Processing Agreement (or equivalent) with CloudVoro, are subject to confidentiality obligations of equivalent strength to those CloudVoro owes its own customers, and are reviewed annually as part of our vendor-risk programme.
Sub-processor 01
Amazon Web Services EMEA SARL
Registered address
38 Avenue John F. Kennedy, L-1855 Luxembourg
Processing purpose
Infrastructure hosting for Keystone application servers, MongoDB Atlas clusters and S3 object storage.
Data categories
All tenant operational data, user account records, audit logs, encrypted backups.
Processing location
EU — AWS Ireland (eu-west-1, Dublin)
Transfer mechanism
Intra-EU — no transfer mechanism required.
Contract in force
AWS Customer Agreement + Data Processing Addendum (signed).
Sub-processor 02
MongoDB, Inc. (via MongoDB Atlas)
Registered address
1633 Broadway, 38th Floor, New York, NY 10019, USA — EU operations via MongoDB Ireland Ltd.
Processing purpose
Managed database hosting (multi-tenant cluster, per-tenant logical isolation).
Data categories
All tenant operational data at rest.
Processing location
EU — MongoDB Atlas eu-west-1 region (AWS Ireland).
Transfer mechanism
EU-hosted shard placement. SCCs in place for any transfer outside the EEA.
Contract in force
MongoDB Cloud Subscription Agreement + Data Processing Addendum (signed).
Sub-processor 03
CloudVoro SMTP relay (mail.cloudvoro.com)
Registered address
CloudVoro infrastructure — Ireland.
Processing purpose
Outbound transactional email: password resets, contact-form replies, audit-event notifications.
Data categories
Recipient email address, subject, plain-text and HTML body of transactional messages.
Processing location
EU — Ireland.
Transfer mechanism
Intra-EU.
Contract in force
Internal CloudVoro infrastructure — controlled directly by CloudVoro.
Sub-processor 04
Stripe Payments Europe Ltd.
Registered address
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland.
Processing purpose
Card payment processing for paid Keystone licences. Engaged only when a customer pays by card.
Data categories
Cardholder data is handled directly by Stripe — CloudVoro does not see or store PAN data. We retain Stripe customer IDs, invoice IDs and payment metadata.
Processing location
EU — Ireland (Stripe primary EU entity).
Transfer mechanism
Intra-EU. SCCs in place for any onward transfer to Stripe US.
Contract in force
Stripe Services Agreement + Data Processing Agreement (signed).
Sub-processor 05
Calendly LLC
Registered address
271 17th Street NW, Atlanta, GA 30363, USA.
Processing purpose
Discovery-call scheduling on the public marketing site. Engaged only when a visitor chooses to book a call.
Data categories
Visitor name, email, optional company name, requested call slot, optional message.
Processing location
United States.
Transfer mechanism
EU Standard Contractual Clauses (Module 2) executed via Calendly DPA. No special-category data submitted.
Contract in force
Calendly Terms of Service + Data Processing Addendum (signed).
Sub-processor 06
Google LLC — Google Analytics (only when explicit opt-in)
Registered address
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Processing purpose
Aggregate website analytics. NOT loaded by default. Engaged only after explicit cookie consent.
Data categories
IP address (anonymised), user agent, page paths, referrer, visit duration.
Processing location
United States.
Transfer mechanism
EU Standard Contractual Clauses + IP anonymisation. Strictly opt-in.
Contract in force
Google Analytics Terms + Data Processing Terms.
Notification of changes
CloudVoro will notify the primary tenant contact at least 30 calendar days before adding, removing or replacing a sub-processor that handles tenant data. Customers may object on reasonable grounds within that window; if no commercially viable resolution can be reached, the customer may terminate the affected service with pro-rata refund of pre-paid fees.
How to subscribe to updates
Tenant administrators are automatically subscribed using the contact email on file. To add a procurement contact or DPO at your organisation, write to privacy@cloudvoro.com and we'll add them to the notification list.
Audit rights
Enterprise customers have a contractual right to audit our sub-processor arrangements once per calendar year, on 30 days' notice, on a remote-questionnaire basis. On-site audits can be arranged for cause (e.g. following a notified incident) on commercially reasonable terms.