Last updated: 2026-05-21 · v1.4
suPlay BV uses the following subprocessors to operate the Supplier Satisfaction Analysis Platform. Each subprocessor has signed a GDPR-compliant data-processing agreement with suPlay. We commit to providing at least 30 days’ written notice before adding or replacing a subprocessor; you may subscribe to notifications by emailing privacy@suplay.nl.
| Name | Purpose | Data categories | Region | Safeguards |
|---|---|---|---|---|
| TransIP (team.blue) | VPS hosting | All application data | NL (EU) | EU hosting, DPA |
| Scaleway SAS | Encrypted off-site backups | All data, GPG-AES256 encrypted at rest | NL (EU, Amsterdam) | EU hosting, DPA, client-side encryption |
| Resend, Inc. | Transactional email (invitations, password reset) | Recipient email, message body | EU (eu-west-1, Ireland) | EU data residency, DPA |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Subscription billing (only when APP_BILLING_ENABLED) | Payer identifier, email, transaction history | LU (EU) | EU hosting, DPA |
| Qualtrics, LLC (SAP) | Optional external survey distribution (only when enabled by the account holder) | Survey structure (question texts, dimension names); no personal respondent data is transferred | US (sjc1, San Jose) | SCCs (EU–US), DPA |
| Functional Software, Inc. (Sentry) | Application error monitoring | Error traces, request path, authenticated user ID | EU (Frankfurt, *.ingest.de.sentry.io) |
EU data residency, DPA |
The following services run on suPlay BV’s own infrastructure (TransIP VPS, Netherlands) and are therefore operated by suPlay BV as controller / processor in its own right — they are not subprocessors and no third-party DPA applies.
| Service | Purpose | Data categories | Location |
|---|---|---|---|
| PostgreSQL 13 | Primary application database | All application data | NL (EU) — TransIP VPS |
| Redis 7 | Async job queue (Symfony Messenger) | Transient message payloads | NL (EU) — TransIP VPS |
| Ollama / Gemma (on-premises LLM) | AI-assisted report generation | Anonymised survey response aggregates (no personal identifiers) | NL (EU) — suPlay-operated node, reached via SSH reverse tunnel |
| Date | Version | Change |
|---|---|---|
| 2026-05-21 | v1.4 | Self-hosted Ollama node: network transport corrected from WireGuard to an SSH reverse tunnel. Descriptive accuracy only — no change to subprocessors or data flows. |
| 2026-05-07 | v1.3 | Added Qualtrics (optional external survey distribution, US/sjc1, SCCs). |
| 2026-05-06 | v1.2 | Resend region corrected to EU (eu-west-1, Ireland). Notice period updated to 30 days (aligned with DPA §7). Self-hosted services table added. Contact email updated to privacy@suplay.nl. |
| 2026-04-24 | v1.1 | Sentry confirmed enabled in production on the EU region (Frankfurt). Description updated from "if configured" to active. |
| 2026-04-24 | v1.0 | Initial list. |