Subprocessor Registry

Public and versioned list of subprocessors used by TunerBee AS

Version: 1.1

Last Updated: [date of publication]

TunerBee AS acts as a data processor on behalf of its customers. To provide the TunerBee platform, we engage the following sub-processors, each of which may process personal data on our instruction.

We will provide customers with at least 30 days' notice of any material changes to this list, in accordance with our Data Processing Agreement.

Infrastructure & Hosting

Microsoft Azure

Entity: Microsoft Ireland Operations Ltd / Microsoft Corporation

Purpose: Cloud infrastructure, hosting, compute, storage, and application monitoring for all platform data

Data location: EU and UK customers: West Europe / North Europe; US customers: East US

EU transfer mechanism: EU Standard Contractual Clauses (2021) + EU-US Data Privacy Framework

UK transfer mechanism: UK Addendum to EU SCCs

DPA: microsoft.com — Microsoft Products and Services DPA

AI / LLM Processing

Google LLC (Vertex AI / Gemini API)

Entity: Google Ireland Ltd / Google LLC

Purpose: Large Language Model processing of user-submitted scenario content; powers AI-driven scenario interactions and interview simulations

Data location: EU customers: EU data centres (configurable via Vertex AI region setting)

EU transfer mechanism: EU Standard Contractual Clauses (2021, Module 2) + EU-US Data Privacy Framework

UK transfer mechanism: UK Addendum to EU SCCs

DPA: cloud.google.com/terms/data-processing-addendum

Note: Customer data is NOT used to train Google foundation models. This is confirmed in Google's DPA and Terms of Service.

Analytics

Google Analytics / GA4

Entity: Google Ireland Ltd / Google LLC

Purpose: Product analytics — page views, feature usage, session data, conversion tracking

Data processed: Pseudonymised user IDs, masked IP addresses, device info, event data

Data location: EU data residency configured in GA4 Admin

EU transfer mechanism: EU Standard Contractual Clauses (2021) + EU-US Data Privacy Framework

UK transfer mechanism: UK Addendum to EU SCCs

Consent: Analytics cookies are only set with prior consent (PECR/ePrivacy). Google Consent Mode v2 is implemented.

DPA: marketingplatform.google.com/about/analytics/terms/

Authentication & Identity

Clerk, Inc.

Entity: Clerk.com Inc, US

Purpose: User authentication, session management, MFA, OAuth

Data processed: Name, email, authentication tokens, session data, login history

Data location: United States (Google Cloud Platform). No EU data residency available.

EU transfer mechanism: EU-US Data Privacy Framework (DPF certified Feb 2024; verified active May 2026)

UK transfer mechanism: UK Extension to EU-US DPF (UK-US Data Bridge)

Fallback: EU SCCs (Module 2/3) + ICO Approved Addendum (UK) in Clerk DPA

DPA: clerk.com/legal/dpa

Sub-processor list: clerk.com/legal/subprocessors

Payment Processing

Stripe

Entity: Stripe Technology Europe Ltd, Ireland / Stripe Payments UK Ltd / Stripe Inc, US

Purpose: Payment processing, subscription management, invoicing

Data processed: Billing contact name, email, billing address, transaction history. Card numbers are held exclusively by Stripe — TunerBee does not receive or store card data.

Data location: EU (Ireland) for all customers

EU transfer mechanism: EU entity (Ireland) — no third-country transfer for payment data

UK transfer mechanism: UK DPA available via Stripe Dashboard

DPA: stripe.com/en-no/legal/dpa

Transactional & Marketing Email

Loops

Entity: Astrodon Corporation, US

Purpose: Transactional and marketing email — account activation, password resets, billing receipts, usage alerts, scenario invitations, marketing campaigns

Data processed: Email address, name, message content, delivery/open/click metadata

Data location: United States (no EU data residency; transfer covered by DPF)

EU transfer mechanism: EU-US Data Privacy Framework (Astrodon Corporation certified) + Standard Contractual Clauses (fallback)

UK transfer mechanism: UK Extension to EU-US Data Privacy Framework (UK-US Data Bridge) + SCCs (fallback)

DPA: loops.so/dpa

Privacy: loops.so/privacy

Trust / SOC 2: trust.oneleet.com/loops

CRM & Marketing

Attio Ltd

Entity: Attio Ltd, UK / Attio Inc, US

Purpose: CRM — customer and prospect contact management, deal pipeline, marketing communications

Data processed: Contact name, email, phone, company, job title, deal stage, communication history

Data location: United States (AWS US East). Attio is UK-incorporated but US-hosted.

EU transfer mechanism: EU Standard Contractual Clauses (2021)

UK transfer mechanism: UK GDPR obligations apply directly to Attio as a UK-incorporated company; UK Addendum in DPA

DPA: attio.com/legal/dpa

Questions about our subprocessor arrangements or data transfer mechanisms: privacy@tunerbee.com