Sub-processors
Third-party service providers who process data on our behalf
Last Updated: November 27, 2025
1. Introduction
This page provides a comprehensive list of sub-processors that JustPost AI B.V. uses to deliver our services. In accordance with GDPR Article 28, we disclose all third parties that process personal data on our behalf.
Company Details
JustPost AI B.V. (Data Controller)
KVK: 98532847
Raamplein 1, 1016XK Amsterdam
The Netherlands
Email: [email protected]
All sub-processors listed below are bound by Data Processing Agreements (DPAs) that include GDPR-compliant terms, Standard Contractual Clauses (SCCs) where applicable, and appropriate technical and organizational security measures.
2. Infrastructure and Hosting
These sub-processors provide the core infrastructure that hosts our application and stores your data.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| DigitalOcean, LLC | Cloud hosting, database storage, application servers | USA / EU (Amsterdam) | All user data, account data, content | EU-US DPF, SCCs |
| Amazon Web Services (AWS) | Object storage (S3), content delivery | USA / EU (Frankfurt) | Media files, images, uploaded content | EU-US DPF, SCCs |
| Cloudflare, Inc. | CDN, DDoS protection, DNS services | Global (edge locations) | IP addresses, request data | EU-US DPF, SCCs |
3. AI and Content Generation
These sub-processors provide artificial intelligence capabilities for content and image generation.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| OpenAI, LLC | AI content generation, text completion, image generation | USA | Prompts, website content, brand info (NOT used for model training) | SCCs, DPA with no-training clause |
AI Training Opt-Out
We have contractual agreements with OpenAI ensuring your data is NOT used to train AI models. Data is processed only to provide you with requested services and is not retained by OpenAI beyond the processing window.
4. Payment Processing
These sub-processors handle payment transactions and subscription management.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, invoicing | USA / Ireland | Payment details, billing address, transaction history | EU-US DPF, SCCs, PCI DSS Level 1 |
5. Authentication and Security
These sub-processors provide user authentication and security services.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Clerk, Inc. | User authentication, session management, SSO | USA | Email, name, authentication data, session tokens | SCCs |
6. Communication Services
These sub-processors handle email communications and notifications.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Mailgun Technologies, Inc. | Transactional email delivery (welcome, password reset, notifications) | USA | Email addresses, email content | SCCs |
7. Social Media Platforms
These platforms receive your content when you authorize us to publish on your behalf. Data is shared based on your explicit authorization.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Meta Platforms, Inc. | Publishing to Facebook and Instagram | USA / Ireland | Posts, images, profile data (via API) | EU-US DPF, SCCs, User consent |
| TikTok Pte. Ltd. | Publishing to TikTok | Singapore / USA | Videos, posts, profile data (via API) | SCCs, User consent |
| Pinterest, Inc. | Publishing to Pinterest | USA | Pins, images, profile data (via API) | SCCs, User consent |
| LinkedIn Corporation | Publishing to LinkedIn | USA / Ireland | Posts, images, profile data (via API) | EU-US DPF, SCCs, User consent |
| X Corp. (Twitter) | Publishing to Twitter/X | USA | Tweets, images, profile data (via API) | SCCs, User consent |
| Google LLC | Publishing to YouTube, Google Business Profile | USA / Ireland | Videos, posts, business profile data (via API) | EU-US DPF, SCCs, User consent |
Note on Social Media Platforms
Social media platforms act as independent data controllers once content is published. Each platform has its own privacy policy and terms of service. Data is only shared with platforms you explicitly connect to your JustPost.AI account.
8. Analytics and Monitoring
These sub-processors help us understand service usage and monitor performance.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Google LLC (Analytics) | Website analytics, usage tracking (with IP anonymization) | USA | Anonymized usage data, device info, page views | EU-US DPF, SCCs, IP anonymization |
| AppSignal B.V. | Application performance monitoring, error tracking | Netherlands (EU) | Error logs, performance metrics (minimal PII) | EU processor (no transfer) |
9. Stock Media Services
These services provide stock photos and images for your content. Minimal or no personal data is shared.
| Sub-processor | Purpose | Location | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| Unsplash, Inc. | Stock photo search and retrieval | Canada | Search queries only (no PII) | Adequacy decision (Canada) |
| Pexels (Canva) | Stock photo search and retrieval | Germany / USA | Search queries only (no PII) | EU processor / SCCs |
| Pixabay (Canva) | Stock photo search and retrieval | Germany / USA | Search queries only (no PII) | EU processor / SCCs |
10. Transfer Mechanisms Explained
EU-US Data Privacy Framework (DPF)
The EU-US DPF provides an adequacy framework for transfers to certified US organizations, as recognized by the European Commission.
Standard Contractual Clauses (SCCs)
European Commission-approved contractual terms ensuring adequate protection for data transferred outside the EEA.
Adequacy Decisions
Countries recognized by the European Commission as providing adequate data protection (e.g., Canada, UK, Japan).
Supplementary Measures
Additional technical measures including encryption in transit and at rest, pseudonymization, and access controls.
11. Changes to Sub-processors
We may add, replace, or remove sub-processors in the course of providing our services. We will:
- Notify you of any intended changes to our sub-processors at least 30 days in advance
- Update this page with the new sub-processor information
- Send email notifications to registered users for material changes
- Give you the opportunity to object to new sub-processors
Objection Process
If you have a legitimate objection to a new sub-processor, you may:
- Contact us at [email protected] within the 30-day notice period
- Explain the grounds for your objection
- We will work in good faith to address your concerns
- If we cannot resolve your objection, you may terminate your account without penalty
12. Data Processing Agreements
All sub-processors have signed Data Processing Agreements (DPAs) with JustPost AI B.V. that include:
- Compliance with GDPR Article 28 requirements
- Restrictions on data use and processing purposes
- Security and confidentiality obligations
- Audit rights and data breach notification requirements
- Sub-processor management and approval processes
- Data deletion and return upon termination
13. Request DPA or More Information
If you need:
- A copy of our DPA for your records
- Information about specific sub-processors
- Details about transfer mechanisms in place
- Evidence of compliance measures
Please contact our privacy team:
Privacy Contact
JustPost AI B.V.
Raamplein 1, 1016XK Amsterdam
The Netherlands
Email: [email protected]
Phone: +31 617422916 (Mon–Fri, 09:00–17:00 CET)
For our full privacy practices, please see our Privacy Policy.
Have questions about our policies?
Our team is here to help clarify anything. We typically respond within 24 hours.
Contact Support