Sub-processors
The third parties below process sigill.ai customer data on our behalf. Materially new sub-processors are announced here at least 30 days before they are introduced, so that customers under a data-processing agreement have a reasonable window to object.
| Sub-processor | Purpose | Data processed | Region |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting — compute, database, KMS, secrets, transactional email | Account data, audit records, hashes, sealed documents in transit | EU (Stockholm, eu-north-1) |
| Stripe Payments Europe, Ltd. | Subscription billing and invoicing | Billing email, plan, payment metadata. Card data is never seen by Sigill. | EU |
| ZITADEL GmbH | Federated identity / SSO (Google, Microsoft Entra ID) | Email, OIDC claims, IdP metadata for tenants that enable SSO | EU (eu1.zitadel.cloud) |
| Cloudflare, Inc. | Turnstile bot protection on the public contact form only | IP address and browser fingerprint at form-submit time | Global edge |
| GitHub, Inc. (ghcr.io) | Container image registry for the API and frontend builds | No customer data — application images only | Global |
Transfers outside the EEA
Where a sub-processor operates outside the European Economic Area, the transfer relies on the EU Commission's Standard Contractual Clauses and — where the counterparty is established in the United States — the EU-US Data Privacy Framework. sigill.ai is operated by Sigill AS, organisation number 937 798 970, established in Norway (EEA) with registered office at Arne Garborgs veg 21, 7071 Trondheim, Norway. The primary application data plane runs inside the EU.
What is not a sub-processor
Cryptographic counterparties — external Timestamp Authorities and Certificate Authorities — are not sub-processors in the GDPR sense. They never receive customer documents, only hashes (timestamping) or public-key certificate requests (CA issuance). They are documented under standards.
Notification
Customers on a paid plan with an executed data-processing agreement will be notified by email of new sub-processors at least 30 days before they begin processing. The notice period applies to materially new processors; routine regional capacity changes within an existing sub-processor (for example, AWS adding an availability zone inside eu-north-1) do not require a fresh notice.