Sub-processors

Last updated: 2026-04-19. Published under Art. 28.2 GDPR.

Eleion Scanner discloses the minimum necessary Personal Data to the sub-processors below. Any change is notified 30 days in advance. Customers with active paid subscriptions receive change notifications by email.

Current sub-processors

Name	Purpose	Location	DPA
Amazon Web Services	Compute (ECS Fargate), database (RDS Postgres), storage (S3), keys (KMS), logs (CloudWatch), DNS (Route53)	eu-central-1 (Frankfurt, Germany). Control-plane metadata may transit AWS global infrastructure; covered by SCC 2021/914 Module 2.	AWS DPA (GDPR)
Stripe Payments Europe Ltd	Payment processing, invoicing, subscription management	Ireland (EEA) + Stripe Inc. US under SCC	Stripe DPA
Cloudflare	CDN for the landing site, DNS, Turnstile captcha, Cloudflare Tunnel for the API gateway	EU data centers; Cloudflare Inc. US under SCC	Cloudflare DPA
Resend	Transactional email delivery (welcome email on waitlist signup, invite codes)	Inc. US, EU-replicated infra; SCC applies	Resend DPA

Sub-processor selection criteria

Before engaging any sub-processor we verify:

A published GDPR-compliant DPA;
Technical and organizational measures at least equivalent to ours;
EU presence or Standard Contractual Clauses with documented Transfer Impact Assessment;
Data breach notification within 24 hours to Eleion as Controller-side intermediary.

Transfers outside the EEA

Where a sub-processor's infrastructure may transit or store Personal Data outside the EEA, we rely on Standard Contractual Clauses (Decision 2021/914) combined with supplementary measures:

Encryption at rest with keys managed in the EEA;
Encryption in transit (TLS 1.2+);
Minimization of Personal Data in logs and diagnostics;
Transfer Impact Assessment documented and shared under NDA on enterprise request.

Historical changes

2026-04-19 — initial sub-processor list published with Eleion Scanner v6.7.2 launch.

Questions or objections: privacy@eleion.io.