Sub-processors

Last updated: 1 January 2026 · This list is an annex to the Data Processing Agreement.

AConsultIT OÜ uses the carefully selected sub-processors listed below to deliver APower Flex. Each sub-processor is bound by written data-protection terms equivalent to those imposed on AConsultIT OÜ under Art. 28 GDPR. All production processing of customer data takes place within the European Union.

Change notice: Customers are notified by email at least 14 days before any new sub-processor is added or replaced. The current version of this page is authoritative.

Sub-processor	Purpose	Data categories	Region	Safeguards
Microsoft Azure Microsoft Ireland Operations Ltd.	Application hosting, Azure SQL Database, Azure Key Vault, monitoring, encrypted backups.	All platform data (encrypted at rest, AES-256).	EU only West/North Europe	DPA, ISO 27001, ISO 27018, SOC 2, EU SCCs where applicable.
Stripe Stripe Payments Europe Ltd.	Subscription billing, payment processing, invoicing for the SaaS service.	Billing contact, payment method tokens, invoice metadata. No business records.	EU Ireland	DPA, PCI-DSS Level 1, EU SCCs for any onward US transfer.
Microsoft Entra ID (optional) Azure AD / SSO	Optional single sign-on for tenants that enable Entra ID federation.	Identifier, email, role claim. Activated only on customer request.	EU	Microsoft DPA, ISO 27001, SOC 2.

Inactive / on-request sub-processors

The following services are not enabled by default and are only used when the customer explicitly activates the corresponding feature:

Email delivery provider — used only if the customer configures outbound transactional email (e.g., invoice delivery). EU provider with SCCs.
Local AI inference (Ollama) — runs on the same EU host; no data leaves the tenant boundary.

How we evaluate sub-processors

EU establishment or, failing that, valid transfer mechanism (Adequacy / EU SCCs + supplementary measures).
Documented security certification (ISO 27001 / SOC 2 / equivalent).
Signed Data Processing Agreement with audit and breach-notification clauses.
Least-privilege access — sub-processor receives only the data strictly needed for its task.
Annual review of certifications and incident history.

Object to a sub-processor

Customers may object to a new or replacement sub-processor within 14 days of the change notice on reasonable, documented data-protection grounds. To file an objection, email privacy@apowerflex.com with the subject "Sub-processor objection".