Sub-processors

Last updated: June 2026

The list below identifies the sub-processors that Picspace (operated by Matthias Grieder, geb. 20.11.1976, sole trader) engages to process Customer Personal Data in providing the Services. It is incorporated by reference into our Data Processing Agreement (Annex 1).

We notify customers of any intended addition or replacement of a sub-processor with at least 30 days' notice, during which a customer may object on reasonable data-protection grounds directly related to the proposed Sub-processor. Failure to object within the 30-day period shall be deemed acceptance of the new Sub-processor.

To receive notifications, email privacy@picspace.io with the subject "Subscribe — sub-processor notices".

Active sub-processors

Sub-processor	Purpose	Location of processing	Transfer safeguard
Amazon Web Services EMEA SARL (AWS)	Application hosting, managed databases (RDS PostgreSQL), object storage (S3), email delivery (SES). All primary workloads run in eu-central-1 (Frankfurt).	EU (eu-central-1, Frankfurt); limited control-plane operations may touch other AWS regions	Data controller is AWS EMEA SARL (Luxembourg entity); EU processing. SCCs + AWS DPA apply for any extra-EEA fallback (e.g. AWS support access)
Elastic NV (Elastic Cloud)	Managed Elasticsearch service for photo search and metadata indexing. Deployed on Elastic Cloud, running on AWS eu-central-1 (Frankfurt).	EU (AWS eu-central-1, Frankfurt) — no extra-EEA transfer	EU processing; governed by Elastic Cloud DPA + Elastic NV Data Processing Addendum
Clerk Technologies, Inc.	User authentication and account management (sign-up, sign-in, session management, webhooks for user lifecycle events)	United States (no EU instance available)	EU–US Data Privacy Framework (DPF, certified Feb 2024, primary mechanism) + SCCs as contractual fallback; governed by Clerk DPA
Polar Software Inc. (Polar.sh)	Subscription billing, payment processing, invoices, customer portal	United States (no EU instance available)	SCCs + Polar DPA; no DPF certification confirmed — SCCs are the primary transfer mechanism. Polar engages Stripe as a sub-processor for card processing
Resend, Inc.	Transactional email delivery (account notifications, gallery sharing, download links, system emails)	Email sending and routing: EU (eu-west-1, Ireland) via Amazon Route 53 — domain `mail.picspace.io` verified in Resend's EU region. Resend platform/account data (logs, dashboard) stored in United States	DPF-certified (primary mechanism) + SCCs as contractual fallback; governed by Resend DPA
OpenAI, L.L.C. / OpenAI Ireland Ltd	AI metadata generation (auto-tags, titles, descriptions) using Picspace's platform credits. See "BYOK" note below for the alternative configuration.	United States (with EU residency option for eligible accounts)	SCCs + OpenAI DPA; zero-retention requested where eligible. Inputs/outputs retained ≤30 days for abuse monitoring; not used for model training.
Google LLC	Customer-initiated photo import from Google Drive (OAuth-authorised, on customer's explicit instruction only)	United States	SCCs + Google Cloud DPA
PostHog, Inc. (PostHog Cloud EU)	Product analytics — page views, feature usage and conversion funnels across the Sites and application to improve the Service. Non-essential and consent-gated (loads only after the visitor accepts cookies); autocapture and session replay are disabled.	EU (AWS eu-central-1, Frankfurt) — independent EU Cloud instance; event data is not stored outside the EEA. US parent (PostHog, Inc.) may access for support.	EU data residency (EU Cloud); EU–US Data Privacy Framework certified (primary) + SCCs as contractual fallback for any US support access; governed by the PostHog DPA

Important note on Bring Your Own Key (BYOK)

When a customer enables BYOK by storing a personal OpenAI API key in account settings, AI calls are made on the customer's own OpenAI account. In that configuration:

OpenAI is not a sub-processor of Picspace. OpenAI processes the customer's data under the customer's direct contractual relationship with OpenAI.
The customer is the controller of the AI inference. Picspace acts as a technical conduit on the customer's documented instruction (saving the key + uploading a photo).
Picspace's encrypted-at-rest storage of the API key itself remains a Picspace processing activity, governed by our DPA.

See the Data Processing Agreement §2.3 for the full allocation of roles in the BYOK configuration.

Infrastructure providers (not sub-processors of Personal Data on customers' behalf)

The following providers support Picspace's operations but do not process Customer Personal Data on behalf of customers in the Art. 28 sense:

Vercel, Inc. — web frontend hosting and edge delivery (Next.js application); Vercel Analytics collects anonymised web-vitals and page-view data (no persistent user identifiers stored)
GitHub, Inc. — source code hosting, CI/CD pipelines, and internal user-feedback issue tracking (feedback submissions may include user identifiers; stored in a private repository accessible only to Picspace)

Contact

Questions or objections regarding sub-processors: privacy@picspace.io Picspace (operated by Matthias Grieder, geb. 20.11.1976, sole trader), Kirchengasse 36/10, 1070 Vienna, Austria.

Sub-processors

Last updated: June 2026

To receive notifications, email privacy@picspace.io with the subject "Subscribe — sub-processor notices".

Active sub-processors

Sub-processor

Purpose

Location of processing

Transfer safeguard

Amazon Web Services EMEA SARL (AWS)

Application hosting, managed databases (RDS PostgreSQL), object storage (S3), email delivery (SES). All primary workloads run in eu-central-1 (Frankfurt).

EU (eu-central-1, Frankfurt); limited control-plane operations may touch other AWS regions

Data controller is AWS EMEA SARL (Luxembourg entity); EU processing. SCCs + AWS DPA apply for any extra-EEA fallback (e.g. AWS support access)

Elastic NV (Elastic Cloud)

Managed Elasticsearch service for photo search and metadata indexing. Deployed on Elastic Cloud, running on AWS eu-central-1 (Frankfurt).

EU (AWS eu-central-1, Frankfurt) — no extra-EEA transfer

EU processing; governed by Elastic Cloud DPA + Elastic NV Data Processing Addendum

Clerk Technologies, Inc.

User authentication and account management (sign-up, sign-in, session management, webhooks for user lifecycle events)

United States (no EU instance available)

EU–US Data Privacy Framework (DPF, certified Feb 2024, primary mechanism) + SCCs as contractual fallback; governed by Clerk DPA

Polar Software Inc. (Polar.sh)

Subscription billing, payment processing, invoices, customer portal

United States (no EU instance available)

SCCs + Polar DPA; no DPF certification confirmed — SCCs are the primary transfer mechanism. Polar engages Stripe as a sub-processor for card processing

Resend, Inc.

Transactional email delivery (account notifications, gallery sharing, download links, system emails)

Email sending and routing: EU (eu-west-1, Ireland) via Amazon Route 53 — domain mail.picspace.io verified in Resend's EU region. Resend platform/account data (logs, dashboard) stored in United States

DPF-certified (primary mechanism) + SCCs as contractual fallback; governed by Resend DPA

OpenAI, L.L.C. / OpenAI Ireland Ltd

AI metadata generation (auto-tags, titles, descriptions) using Picspace's platform credits. See "BYOK" note below for the alternative configuration.

United States (with EU residency option for eligible accounts)

SCCs + OpenAI DPA; zero-retention requested where eligible. Inputs/outputs retained ≤30 days for abuse monitoring; not used for model training.

Google LLC

Customer-initiated photo import from Google Drive (OAuth-authorised, on customer's explicit instruction only)

United States

SCCs + Google Cloud DPA

PostHog, Inc. (PostHog Cloud EU)

Product analytics — page views, feature usage and conversion funnels across the Sites and application to improve the Service. Non-essential and consent-gated (loads only after the visitor accepts cookies); autocapture and session replay are disabled.

EU (AWS eu-central-1, Frankfurt) — independent EU Cloud instance; event data is not stored outside the EEA. US parent (PostHog, Inc.) may access for support.

EU data residency (EU Cloud); EU–US Data Privacy Framework certified (primary) + SCCs as contractual fallback for any US support access; governed by the PostHog DPA

Important note on Bring Your Own Key (BYOK)

When a customer enables BYOK by storing a personal OpenAI API key in account settings, AI calls are made on the customer's own OpenAI account. In that configuration:

OpenAI is not a sub-processor of Picspace. OpenAI processes the customer's data under the customer's direct contractual relationship with OpenAI.

The customer is the controller of the AI inference. Picspace acts as a technical conduit on the customer's documented instruction (saving the key + uploading a photo).

Picspace's encrypted-at-rest storage of the API key itself remains a Picspace processing activity, governed by our DPA.

See the Data Processing Agreement §2.3 for the full allocation of roles in the BYOK configuration.

Infrastructure providers (not sub-processors of Personal Data on customers' behalf)

The following providers support Picspace's operations but do not process Customer Personal Data on behalf of customers in the Art. 28 sense:

Vercel, Inc. — web frontend hosting and edge delivery (Next.js application); Vercel Analytics collects anonymised web-vitals and page-view data (no persistent user identifiers stored)

GitHub, Inc. — source code hosting, CI/CD pipelines, and internal user-feedback issue tracking (feedback submissions may include user identifiers; stored in a private repository accessible only to Picspace)