Legal
Subprocessors
Version 2026.05.2 · Last updated · Effective
Introduction
ChronoLedger engages a small number of vetted third-party providers ("Subprocessors") to deliver, secure, and bill for the Service. Each Subprocessor is bound by a written data-processing agreement that imposes data-protection terms no less protective than those in our DPA. This page is the authoritative list under GDPR Article 28(3)(d) and is incorporated into the DPA by reference.
We do not currently claim third-party security certifications such as SOC 2 or ISO 27001 in our own name. We document our own technical and organisational measures in the DPA Security measures section, and we rely on the audited certifications of underlying infrastructure providers (in particular, the ISO 27001 certification of Leaseweb's Amsterdam data centre) for the platform layer.
We do not list Google Analytics or Google Tag Manager as Subprocessors because we do not use them. Marketing-website audience measurement is handled by a self-hosted instance of Plausible Analytics, running on our own Leaseweb infrastructure. Plausible is cookieless, sets no persistent identifier, and does not transfer data to any third party — it is part of our Service, not a Subprocessor.
Current subprocessors
The list below reflects the Subprocessors currently engaged. The Surface column indicates where each Subprocessor operates: Marketing site means the public website at chrono-ledger.com (visited without an account); App only means the product application at app.chrono-ledger.com (visited after sign-up); Both means the Subprocessor handles data from either surface. A visitor who only browses the marketing site is processed only by the Both-tagged Subprocessors; App only-tagged Subprocessors never see marketing-site traffic.
| Provider | Role | Surface | Location | Scope | Transfer mechanism | ML / AI use |
|---|---|---|---|---|---|---|
| Leaseweb Netherlands B.V. | Hosting | Both | Amsterdam, Netherlands (EU/EEA) | All Customer Data and Service infrastructure; also hosts our self-hosted Plausible analytics | EEA-internal — no cross-border mechanism required | No ML on Customer Data |
| Cloudflare, Inc. | CDN / Edge security | Both | Global edge network (controller in San Francisco, US) | IP address, request metadata, Turnstile challenge tokens; no Customer Data at rest | EU SCCs (Module 3); UK Addendum where applicable; Cloudflare DPA | Bot Management uses ML on traffic signals (does not process Customer Data) |
| Paddle.com Market Limited | Merchant of Record | App only | United Kingdom (with EU establishment in Malta) | Billing identifiers, payment metadata, invoice records | UK Addendum to EU SCCs (Module 2); Paddle DPA | Paddle Risk uses ML on transaction metadata for fraud detection |
| Stripe Payments Europe Limited / Stripe, Inc. | Marketplace payouts | App only | Ireland (Europe); United States (controller) | Connected-account identifiers, payout metadata, KYC data submitted by Workspace Owners | EU SCCs (Module 3); UK Addendum where applicable; Stripe DPA | Stripe Radar uses ML on transaction signals for fraud detection |
| Mailgun Technologies, Inc. | Transactional email | App only | EU region (eu.mailgun.net) where configured; United States (controller) | Recipient email address, message subject and body, delivery metadata; open/click tracking disabled in the sending-domain configuration | EU SCCs (Module 3); UK Addendum where applicable; Mailgun DPA | No ML on Customer Data |
| Sentry (Functional Software, Inc.) | Error monitoring | App only | Frankfurt, Germany (EU region — pinned for all environments) | Error stack traces, scrubbed request metadata; PII filtering enforced via SDK before-send hook (request body, authentication headers, cookies, user identifiers stripped at source) | EEA-internal for the EU region; EU SCCs (Module 3) where any incidental fallback to US occurs | Sentry "Suggested Fix" / AI features disabled at the organisation level |
Indirect subprocessors (sub-subprocessors of our Subprocessors)
Each of our direct Subprocessors engages its own subprocessors. We do not contract with these indirect parties; their use is governed by the relevant direct Subprocessor's own DPA and subprocessor list. The most material categories, drawn from the direct Subprocessors' published lists at the date of this version, are:
- Paddle — fraud / KYC providers (Sift, Onfido or equivalent), payment-processor partners, infrastructure providers (AWS for parts of Paddle's stack).
- Stripe Connect — Stripe Tax (powered by Avalara), Stripe Identity (powered by Onfido or equivalent), AWS for parts of Stripe's stack.
- Mailgun — AWS for email-relay infrastructure (EU region used where configured).
- Cloudflare — global edge POPs operated by Cloudflare, including in mainland China (operated for traffic destined to / from China by a Cloudflare PRC partner).
- Sentry — Google Cloud Platform and AWS for parts of Sentry's infrastructure.
For the up-to-date list of any direct Subprocessor's own sub-subprocessors, see that Subprocessor's published page (linked from the relevant DPA on file).
Transfer mechanisms
Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision in force at the time of transfer, we rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate) and, for UK data subjects, on the UK International Data Transfer Addendum. We have completed Transfer Impact Assessments under Schrems II for each out-of-EEA Subprocessor flow and applied supplementary measures where appropriate (encryption in transit, strict access controls, and contractual government-access reporting). Full TIAs are available on request and under our standard non-disclosure terms.
Notification of changes
We update this page when we add, remove, or replace a Subprocessor. Updates take effect on publication. The published version of this page is the authoritative notice mechanism — the Workspace Owner is responsible for monitoring it. We do not separately notify customers by email, and we are not obliged to seek individual customer agreement before engaging a new Subprocessor in line with this policy.
The Workspace Owner's general written authorisation in the DPA extends to all Subprocessors listed on this page from time to time. The Workspace Owner's sole and exclusive remedy if it does not wish to continue with a Subprocessor change is to terminate the account under the Termination clause of the Terms of Use.
Contact
Email legal@chrono-ledger.com for due-diligence questionnaires or vendor-review documentation. For privacy queries, email privacy@chrono-ledger.com.