To run our software development services, Academy, and client platform, Oleksandr Koniev Strataforge (Jednoosobowa działalność gospodarcza) relies on a small set of trusted third-party providers that process personal data on our behalf or alongside us. Under data protection law these providers are called subprocessors. This page lists the current ones, what each does, the categories of personal data and data subjects involved, the region where processing happens, and the legal basis for any transfer outside the European Economic Area (EEA).

This page supports our Privacy Policy and, for business clients, our Data Processing Agreement. Where we act as a processor for a client, these subprocessors are our subprocessors and the authorisation and objection rights described below run to that client.

1. What a subprocessor is

A subprocessor is a third party we engage to process personal data in the course of providing our services, for example hosting, payments, email delivery, or AI features. We stay responsible to you for the data we hand to them. Under RODO art. 28 ust. 4, each subprocessor is bound by the same data protection obligations that apply to us, and we remain fully liable to you for how they perform.

We only engage subprocessors that offer sufficient guarantees of appropriate technical and organisational measures, we keep the list below current, and we sign a data processing agreement (or equivalent terms) with each one before any personal data flows to them. Consistent with RODO art. 28 ust. 3, for each subprocessor we disclose the processing purpose, the categories of personal data, and the categories of data subjects involved, so that controllers can assess any change.

Oleksandr Koniev Strataforge is Jednoosobowa działalność gospodarcza. The business is run by its proprietor, who bears unlimited personal liability for the obligations connected with this processing; there is no separate share capital and no commercial-register filing standing behind these commitments.

2. Current subprocessors

The providers below make up our current subprocessor roster. For each one we state its purpose, its processing role, the categories of personal data and data subjects it may touch, the region plus transfer basis, and its activation status. Where a provider processes data in the United States, the transfer relies on European Commission Standard Contractual Clauses (SCCs) under RODO art. 46 ust. 2 lit. c and, where the provider is certified, on the EU-US Data Privacy Framework.

Active subprocessors (a data processing agreement is executed and personal data may flow today):

• Stripe - payment processing and billing. Two distinct roles: as our processor for payment and billing data handled on our instruction (Module 2 transfer leg), and as an independent controller for its own fraud prevention, loss mitigation, and compliance (a separate controller-to-controller relationship, not subprocessing on our behalf). Personal data: payment card and transaction data, billing name, email, billing address. Data subjects: paying clients and their authorised payers. EU contracting entity for EEA accounts (Stripe Payments Europe Ltd, Ireland) with onward processing in the United States under SCCs. DPA and subprocessor list: Stripe's subprocessor list.
• Supabase - database, authentication, file storage, and built-in transactional email. Processor for the data we store. Personal data: account identifiers, authentication credentials, profile data, and any content stored by users. Data subjects: registered users and client-platform contacts. Processing region is elected by us as the EU region; this is pending verification of the executed Schedule 3 sub-processor chain (the underlying cloud infrastructure provider acts as a further subprocessor). DPA and subprocessor list: Supabase's DPA.
• Vercel - website and application hosting, content delivery. Processor for hosted content. Personal data: request metadata, IP addresses, and any personal data contained in served content. Data subjects: site visitors and platform users. Primary processing facilities are in the United States, with transfers under SCCs. DPA and subprocessor list: Vercel's subprocessor list.
• Anthropic - AI inference for product features. Processor for content sent to its API. Personal data: only what is contained in prompts and inputs you submit to AI features. Data subjects: users of AI features and any individuals referenced in their inputs. Processing location follows service configuration, with transfers under SCCs (Modules 2 and 3). DPA and subprocessor list: Anthropic's subprocessor list.

Pending activation (listed for transparency but NOT yet receiving production personal data; each is gated on a verified executed DPA, SCC module, DPF status where relevant, and sub-processor list before it goes live):

• OpenAI - AI inference for product features. Intended role: processor for content sent to its API. Personal data: only what is contained in prompts and inputs. Data subjects: users of AI features and individuals referenced in their inputs. United States by default, with EU data residency available on eligible plans; transfers intended under SCCs. Activation status: pending verification of the executed DPA, transfer basis, and residency election.
• Resend - transactional email delivery (account confirmations, password resets, invoices, notifications). Intended role: processor for recipient addresses and message content. Personal data: recipient email addresses and message content. Data subjects: email recipients. United States entity, transfers intended under SCCs (expected Module 2). Activation status: pending execution and verification of the DPA.
• OpenRouter - AI model routing across multiple providers. Intended role: processor for prompts and content routed through it. Personal data: only what is contained in routed prompts and inputs. Data subjects: users of AI features and individuals referenced in their inputs. United States entity. Routed requests reach only an internally maintained allowlist of downstream model providers acting as further subprocessors; that allowlist will not change without prior notice to DPA clients. Transfers intended under SCCs. Activation status: pending verification of the DPA, transfer basis, and the published downstream allowlist.
• Tavily - web search and retrieval for AI features. Intended role: processor for search queries it receives. Personal data: only what is contained in search queries. Data subjects: users of AI features. United States entity, transfers intended under SCCs. Activation status: pending verification of the DPA and transfer basis.
• ElevenLabs - text-to-speech and voice generation for AI features. Intended role: processor only where the text or voice content you supply contains personal data. Personal data: supplied text and, where applicable, voice samples (which can themselves be personal data). Data subjects: users of AI features and any speakers in supplied audio. United States entity, transfers intended under SCCs. Activation status: pending verification of the DPA and transfer basis. You must not supply personal voice samples for the purpose of uniquely identifying a person, as set out in the AI features section below.

Not every provider receives every category of personal data, and several only process data when a specific feature is used. The internal sub-processor registry held by Oleksandr Koniev Strataforge records the exact data categories, executed agreements, and transfer-mechanism detail for each provider; you can request the relevant detail at alex@strataforge.co.

3. AI features and transparency

Some of our features use AI inference or voice generation provided by the subprocessors above. Where you interact with an AI system or receive content that is artificially generated, we tell you so, in line with the transparency duties under AI Act art. 50. Artificially generated or manipulated audio produced through these features is identified as synthetic.

A voice sample of an identifiable person is itself personal data under RODO art. 4 ust. 1, and a voiceprint used to uniquely identify a person is biometric data. To avoid prohibited processing under RODO art. 9, you must not supply personal voice samples for the purpose of uniquely identifying a natural person, and we do not use these features to build identification voiceprints.

4. International transfers

Several of the providers above are based in or process data in the United States. Under RODO art. 44, a transfer of personal data outside the EEA may take place only if the conditions of Chapter V of RODO are met so that the level of protection is not undermined, including for onward transfers.

Where a US-based provider is not covered by an adequacy decision, we rely on the European Commission Standard Contractual Clauses adopted in Decyzja wykonawcza Komisji (UE) 2021/914 as the appropriate safeguard under RODO art. 46 ust. 2 lit. c. Where the provider holds a valid certification under the EU-US Data Privacy Framework, that adequacy basis applies. We aim to keep personal data inside the EU region wherever a provider lets us elect it.

5. How we notify you of changes

We may add or replace a subprocessor as our services evolve. When we do, we will update the list on this page and, for business clients to whom we act as a processor under our Data Processing Agreement, we will send advance notice of the intended addition or replacement to that client's designated legal or privacy contact at least 30 days before the new subprocessor begins processing personal data. This notice is mandatory and does not depend on the client signing up for it. This reflects RODO art. 28 ust. 2, under which a processor operating on general written authorisation must inform the controller of intended subprocessor changes and give it the opportunity to object.

Beyond that mandatory notice to the designated contact, business clients can also ask us to add extra recipients to our subprocessor change notifications by emailing alex@strataforge.co.

6. Your right to object

If you are a business client for whom we act as a processor, you may object to a new or replacement subprocessor on reasonable data-protection grounds within 30 days of our notice. Send your objection to alex@strataforge.co.

If we cannot resolve a good-faith objection together, you may terminate the part of the service that depends on the disputed subprocessor, as set out in our Data Processing Agreement.

7. Related policies and contact

This page works together with our Privacy Policy, which explains what personal data we process and why, and our Data Processing Agreement, which governs processing we carry out on behalf of business clients.

For any question about a subprocessor, a transfer basis, or to request the detailed registry entries, contact Oleksandr Koniev Strataforge at alex@strataforge.co. Oleksandr Koniev Strataforge is Jednoosobowa działalność gospodarcza with its seat in Warsaw, Poland; its registration details (NIP 5214165020, REGON 544734689) and address ul. Złota 75A lok. 7, 00-819 Warszawa appear in the site imprint.