Effective date: May 2026 · Last updated: 3 June 2026 · Version: v2.3 (Alternative domain registrar options removed from the product; OnlineNIC is the only active registrar. Previous v2.2: Sentry/Anthropic/Mistral removed; WHM/cPanel, Groq, Grok (xAI) added; AI consent version 1.1)
This page presents the public named sub-processor table as required by GDPR Art. 28(4) and KVKK Arts. 8-9. Enterprise customers with a signed DPA receive 30 days' prior notice of changes. Region- or product-specific additional sub-processors may be disclosed upon request.
1. Named Sub-processors — Complete List
The following table provides the legal name, service category, jurisdiction, transferred data categories, and transfer safeguards under GDPR Chapter V / KVKK Art. 9 for every third-party provider that processes personal data on behalf of RYSTAT (a brand of Unifics Limited):
| Provider | Service | Jurisdiction | Data categories | Transfer mechanism | DPA status |
|---|---|---|---|---|---|
| Stripe, Inc. | Payment processing (card + SEPA) | United States (DPF participant) | Payment metadata, customer email, invoice ID | SCC (2021/914) + EU-US DPF | Active |
| Hetzner Online GmbH | VPS and server hosting + AI Builder published-site visitor analytics/form submissions | Germany (EU) | Server logs, IP address, customer panel metadata, published-site visitor PII (form submissions + analytics beacons) | Intra-EU · N/A | Active |
| CloudNS Ltd. | Authoritative DNS hosting | Bulgaria (EU) | DNS queries, domain registration data | Intra-EU · N/A | Active |
| cPanel, L.L.C. (WebPros International) | WHM/cPanel hosting control panel (licensed server software + license validation telemetry) | United States | License activation metadata (server IP, license key), cPanel usernames, site publication metadata | SCC (2021/914) + EU-US DPF | Active |
| OnlineNIC, Inc. | Domain registrar + SSL reseller (default registrar) | United States | WHOIS data (name, email, address, phone) | SCC (2021/914) | Active |
| Sectigo Limited | SSL Certificate Authority | United Kingdom | Domain validation data, certificate request data | Adequacy decision (UK) | Active |
| GoGetSSL (EnVers Group SIA / DigiCert Ireland Ltd) | SSL certificate issuance + reissue | Latvia (EU) → Ireland (EU) | CSR + admin contact email + DCV records | Intra-EU · N/A (sub-processor of DigiCert IE) | Active |
| SmarterTools, Inc. | SmarterMail email server software | United States | Email metadata, sender/recipient addresses | SCC (2021/914) | Active |
| Hangzhou DeepSeek Artificial Intelligence Co., Ltd. | AI content generation (primary — default provider, AI_PROVIDER=deepseek) | People's Republic of China | AI prompts, content instructions (may contain personal data) | Explicit consent · GDPR Art. 49(1)(a) · KVKK Art. 9/6 | Active (when user provides AI consent) |
| OpenAI, L.L.C. | AI content generation (optional provider option) | United States (DPF participant) | AI prompts, model inputs | SCC (2021/914) + EU-US DPF | Reserved — not currently active (OPENAI_API_KEY not set in production environment; activation triggers re-consent) |
| Groq, Inc. | AI content generation (optional provider option — high-speed inference) | United States | AI prompts, model inputs | SCC (2021/914) | Reserved — not currently active (GROQ_API_KEY not set in production environment; activation triggers re-consent) |
| X.AI, LLC (Grok) | AI content generation (optional provider option) | United States | AI prompts, model inputs | SCC (2021/914) | Reserved — not currently active (XAI_API_KEY not set in production environment; activation triggers re-consent) |
Special notice for DeepSeek (PRC): This transfer is subject to a Transfer Impact Assessment (TIA) under EDPB Recommendation 01/2020 and is only carried out where explicit, specific consent has been obtained under GDPR Art. 49(1)(a) / KVKK Art. 9/6. The Member may withdraw consent at any time via the "Disable AI features" option in account settings; withdrawal is prospective. DeepSeek is the only currently active AI provider; OpenAI / Groq / X.AI (Grok) provider options exist in the code but are inactive because their production environment API keys are not configured. Activating any of these triggers re-consent.
Wave B disclosure correction (23 May 2026): The previous v2.1 listed Anthropic PBC, Mistral AI SAS, and Functional Software (Sentry) as "Active". None of these are integrated in the code base: Anthropic and Mistral are absent from the AI provider union type (src/lib/ai/provider.ts); the Sentry SDK has been a no-op stub since the Wave 24m revert (commit 2112d5a8). To avoid "misleading transparency" under KVKK Art. 10 + GDPR Art. 13, these three providers have been removed from the list. If any are re-added, the 30-day DPA notification will be issued and re-consent will be triggered by bumping legal.ai_features_version.
2. Categorical Summary and Data Flow
| Category | Providers | Aggregate jurisdictions |
|---|---|---|
| Hosting and data centre | Hetzner Online GmbH | EU (DE) |
| DNS and network | CloudNS Ltd. | EU (BG) |
| Hosting control panel | cPanel, L.L.C. (WebPros) | US (DPF) |
| Payment and billing | Stripe, Inc. | US (DPF) |
| Domain and SSL (active) | OnlineNIC, Inc. · Sectigo Limited · GoGetSSL (EnVers Group SIA / DigiCert IE) | US · GB · EU (LV/IE) |
| Email infrastructure | SmarterTools, Inc. | US |
| Artificial intelligence and language models (active) | Hangzhou DeepSeek AI Co., Ltd. | People's Republic of China |
| Artificial intelligence and language models (reserved, env-key-driven) | OpenAI · Groq · X.AI (Grok) | US (DPF / standard) |
3. Selection, Oversight, and Contracting
When selecting sub-processors, RYSTAT takes into account security, operational suitability, data protection obligations, and service continuity criteria.
- Written agreement (GDPR Article 28(4)): Where sub-processing activities involve personal data, a written data processing agreement is concluded with the sub-processor. Sub-processors are bound by data protection standards at least equivalent to those set out in the agreement with RYSTAT.
- Transfer safeguards: Where a sub-processor relationship involves transfers of personal data outside the EU/EEA, the EU Standard Contractual Clauses (Commission Decision 2021/914) or equivalent appropriate safeguards are applied.
- Ongoing oversight: RYSTAT monitors sub-processors' compliance with their data protection obligations using reasonable commercial efforts.
4. Updates and Notification
The sub-processor framework may be updated in line with changes to the service architecture, location, or products used. Updates are published on this page.
- Public notification: In the event of the addition of a new sub-processor or a material change to an existing sub-processor, this page is revised with the date of the update indicated.
- Individual notification to DPA customers (GDPR Article 28(4)): Enterprise customers subject to an active Data Processing Agreement (DPA) shall be notified by email at least 30 days before the addition of a new sub-processor or a material change to an existing sub-processor that affects the scope of personal data processing. The customer retains the right to raise a reasoned and legally justified objection to such changes.
- Information that is legally restricted for security reasons is excluded from the scope of such notifications.
5. Order of Precedence and Conflicts
In the event of any conflict between this document and any other contractual document, the following order of precedence shall apply:
- Signed enterprise agreement, order form, or proposal addendum
- Product-specific service terms
- Acceptable Use Policy (AUP)
- Service Level Agreement (SLA)
- Data Processing Agreement (DPA) (with respect to data processing matters only)
- Terms of Service
- Privacy Policy
- Refund Policy
- This Public Sub-processor Framework
Signed enterprise agreements, order forms, or proposals shall always take precedence over these public documents. In the event of a conflict, the most specific and most recent signed document shall prevail.