Sub-processor disclosure · DPA reference

Sub-Processors — Flowie's Named Third-Party Data Processors

Last updated:Back to Trust Center

Flowie engages exactly 9 named sub-processors to deliver our service. All 9 have signed Data Processing Agreements (DPAs) with Flowie, and all non-EU transfers are governed by Standard Contractual Clauses (SCCs). AI processors handle descriptive text only — never financial amounts, never IBANs. Mistral AI is fully French-hosted.

This page is the canonical public reference for the sub-processor annex of the Flowie DPA (version: May 2025). If you are a data controller reviewing our sub-processor disclosure before signing or renewing your DPA, this is the document your team needs. We update this list whenever a sub-processor is added, replaced, or materially changed.

The "Last reviewed" date in the table reflects the most recent per-processor verification. The page-level date above reflects the last time this document was published or revised. Material changes — meaning any addition, replacement, or significant scope expansion — are communicated to data controllers at least 30 days in advance. Minor operational changes (for example, a sub-processor updating a sub-region within an already-disclosed country) do not trigger formal notification. To receive advance notice of material changes automatically, subscribe using the link at the bottom of this page.

The list

Sub-processor list

Nine named third parties. All under signed DPAs. SCCs in force for every non-EU transfer.

Last reviewed:

Selection & audit

How we choose and audit sub-processors

Every sub-processor on this list passed a structured evaluation before Flowie engaged them, and each is reviewed at least once per year.

Selection criteria. Before onboarding any sub-processor, Flowie's security and legal teams assess: (1) security certifications — ISO 27001, SOC 2 Type II, and sector-specific frameworks such as SecNumCloud for infrastructure; (2) data location and the jurisdiction in which personal data will be processed or stored at rest; (3) GDPR compliance posture, including the sub-processor's own documentation of technical and organizational measures; and (4) contractual commitments — specifically, the sub-processor's willingness to sign a DPA with appropriate data protection clauses, and, for non-EU processors, to execute Standard Contractual Clauses in accordance with the EU Commission's 2021 decision.

Risk classification. We treat our sub-processors in three tiers. Infrastructure processors (GCP/S3NS) receive the highest scrutiny — they host the environment in which all data lives. Data processors (Auth0, SendGrid, Sentry, Intercom, Fivetran) process specific categories of personal or operational data and are scoped strictly to their stated purpose. AI processors (OpenAI, Mistral AI, Anthropic) warrant a separate evaluation track: we assess input minimization controls, retention caps, and — most critically — whether the vendor has committed contractually to zero retraining using client data. All three AI providers on this list have made that commitment in writing.

Annual review. Each year, Flowie's DPO re-verifies certifications, confirms DPAs remain current, and reviews any changes to sub-processor processing locations or ownership. If a review reveals a material gap, we suspend use of that processor until remediation is confirmed.

No new sub-processor is activated in production until a signed DPA and, where required, SCCs are in place.

30-day advance notice

Notification of changes

Flowie commits to notifying data controllers at least 30 days before any material change to this sub-processor list takes effect. A material change is defined as: adding a new sub-processor, replacing an existing sub-processor, or materially expanding the scope of data an existing sub-processor is permitted to process.

This commitment is reflected in the sub-processor annex of the Flowie DPA. If you have signed a DPA with Flowie, this page is the reference document that annex points to.

Minor changes — such as a sub-processor updating their data center from one facility to another within the same country, or a parent-company name change with no operational effect — do not trigger the 30-day notification requirement, but will be reflected in the "Last reviewed" date on the relevant table row.

Subscribe to change notifications. Data controllers and DPOs can opt in to receive email notification of material sub-processor changes before they take effect. We do not add contacts to this list without explicit opt-in, and you can unsubscribe at any time.

Subscribe to notifications

Buyers ask us this

Frequently asked questions

What data controllers and DPOs ask before signing or renewing their DPA.

Why these specific sub-processors?

Each was selected because it was the right tool for a specific, narrow function — and because it met our security and compliance bar. GCP/S3NS gives us EU sovereign cloud infrastructure certified to SecNumCloud by ANSSI. Mistral AI gives us a French-hosted AI provider with no data leaving the EU. Auth0 gives us a battle-tested identity layer hosted in Belgium. We did not pick vendors on brand alone; every selection was preceded by a DPA review and a data-flow assessment confirming that the vendor's processing is limited to what we described in this table.

Is my data sent outside the EU?

Some data is transferred to US-based sub-processors: SendGrid, Sentry, Intercom, Fivetran, OpenAI, and Anthropic are all US-headquartered. All six transfers are governed by Standard Contractual Clauses signed under the EU Commission's 2021 SCCs decision. Flowie's primary infrastructure (GCP/S3NS), authentication layer (Auth0), and one of its three AI providers (Mistral AI) are EU-hosted, meaning a significant share of processing never leaves the EU.

Do AI providers see our financial amounts or IBANs?

No. This is a hard architectural constraint, not a policy preference. Flowie's document processing pipeline extracts and sends only descriptive text fields to AI providers — document descriptions, line-item labels, category names. Financial amounts, IBAN numbers, and similar sensitive identifiers are never included in the payloads sent to OpenAI, Mistral AI, or Anthropic. This constraint is enforced at the application layer before any data reaches an AI provider's API.

How are non-EU transfers legally protected?

All six non-EU sub-processors have executed Standard Contractual Clauses with Flowie. SCCs are the transfer mechanism approved by the EU Commission under GDPR Article 46(2)(c). They impose binding contractual obligations on the receiving party to maintain EU-equivalent data protection standards, regardless of local law. ⚠️ TO VALIDATE: confirm with Legal whether transfer impact assessment (TIA) availability for each non-EU processor is published for data-controller request.

How will I be told if a sub-processor changes?

If you have signed a DPA with Flowie, the sub-processor annex of your DPA covers the notification commitment automatically — you do not need to register separately, but you should ensure your designated DPO or legal contact email is current with your Flowie account manager. For additional advance notice, you can subscribe explicitly at /contact?intent=subprocessor-notifications. Notifications are sent at least 30 days before the change takes effect, giving you time to assess the impact and, if necessary, exercise your right to object under the terms of your DPA.

Get signed or stay informed

Get your DPA signed or stay informed

Two paths from this page — both go through the same intake. Pick yours.

Request a signed DPA

We turn DPA countersignatures around as quickly as redlines allow.

⚠️ TO VALIDATE: confirm a public turnaround SLA with Legal if a specific commitment is desired.

Request a DPA →

Subscribe to sub-processor change notifications

Receive 30-day advance notice of any material change to this list.

⚠️ TO VALIDATE: confirm Legal-approved opt-in language for the subscription form.

Subscribe →