Last updated: April 2026
When you use ComplianceLint, KI·SUM·AI - Kisum GmbH (the “controller”) engages a small number of third-party service providers to deliver, secure, and bill for the service. Under Art. 28 GDPR, these are subprocessors — they process personal data only on our documented written instructions.
This page is the canonical list. The privacy policy at /legal/privacy §5 contains the same information embedded in the broader privacy disclosure; this page exists so customers and their compliance counsel can audit the current subprocessor list at a single stable URL.
We will provide advance written notice of any change to this list (addition, removal, or material change of role) before the change takes effect. Customers may object to a new subprocessor under the terms of their service agreement; if no reasonable accommodation is possible we will offer termination consistent with applicable contract terms.
Each subprocessor below is bound by an executed Data Processing Agreement (Art. 28 GDPR) or equivalent. For international transfers outside the EEA, where applicable we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU–U.S. Data Privacy Framework (where the recipient is certified), and supplementary technical and organisational safeguards as required by Chapter V GDPR.
| Subprocessor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH Gunzenhausen, Germany | Hosting, server infrastructure, primary data residency (Falkenstein / Nürnberg data centres). Stores the application database, application files, and backups. | EU 🇩🇪 | Internal EU — no Chapter V transfer |
| PostHog Inc. EU instance (eu.posthog.com) | Privacy-focused product analytics + browser-side exception capture. Anonymised usage events; no advertising profile. | EU 🇪🇺 | EU instance — data stored in EU |
| Sentry GmbH EU instance (de.sentry.io) | Supplemental error tracking, env-gated dual-write alongside our self-hosted error_logs (see privacy policy §6a). | EU 🇩🇪 | Sentry GmbH is German — no Chapter V transfer |
| Resend Inc. San Francisco, California, USA | Transactional email delivery: magic-link login, account alerts, team invitations, retention notices. | USA 🇺🇸 | EU–U.S. Data Privacy Framework + SCCs |
| Lemon Squeezy LLC Sold through Link, LLC f/k/a Lemon Squeezy LLC, USA | Payment processing, tax handling, and subscription billing for paid plans. Acts as Merchant of Record. | USA 🇺🇸 | SCCs |
| GitHub Inc. Microsoft Corporation subsidiary, USA | OAuth authentication identity only. We do not request or store GitHub access tokens for content access (your files, your repos). | USA 🇺🇸 | OAuth-only minimal data; standard ToS |
| Google LLC Mountain View, California, USA | OAuth authentication identity only. Same scope and limitations as GitHub above. | USA 🇺🇸 | OAuth-only minimal data; standard ToS |
The following are not subprocessors of ComplianceLint:
For each subprocessor above, KI·SUM·AI - Kisum GmbH maintains internally:
These documents are available on written request from the data controller of any customer organisation; please email info@compliancelint.com with your account email and your role at the controller organisation.
Before any new subprocessor begins processing your personal data, we will notify you in writing — either via the email address on your account, or via an in-product announcement that requires acknowledgement before continued use of the service. We aim to provide at least 14 days advance notice for non-urgent changes; for changes required by security or regulatory necessity (e.g. an upstream provider mandates an updated DPA), the notice may be shorter and we will explain the cause.
You may object to the use of a new subprocessor under the terms of your service agreement. If we cannot reasonably accommodate your objection, we will offer termination of the affected service consistent with applicable contract terms; a pro-rated refund is available where contractually required.
For subprocessor-related questions, audit requests, or objection notices, please email info@compliancelint.com with subject line “Subprocessor inquiry”.