# Who we work with

## Sub-Processor Selection Criteria

When selecting third-party services that handle personal data or are critical to our infrastructure, we prioritize providers in the following order:

1. **SOC 2 Type II and/or ISO 27001 certified** providers with **EU data residency**
2. **Uncertified** providers with **EU data residency**
3. **Certified** providers with **non-EU data residency** (with appropriate safeguards)

All sub-processors are contractually bound through Data Processing Agreements (DPAs) and Standard Contractual Clauses where applicable.

## Our Sub-Processors

### Core Infrastructure Sub-Processors

#### **Database & Cloud Infrastructure**

**MongoDB Atlas** (MongoDB, Inc.)

* **Purpose**: Primary database hosting
* **Data Location**: Belgium (GCP europe-west1)
* **Personal Data**: Yes - all application data
* **Certifications**: SOC 2 Type II, ISO 27001, GDPR compliant
* **Service Authentication**: Database credentials with connection string encryption
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA (SMS)
* **Service Access Control**: Database-level user roles
* **Administration Access Control**: Organization roles with principle of least privilege
* **Criticality**: Critical

**Google Cloud Platform** (Google LLC)

* **Purpose**: Cloud infrastructure, Firebase services, load balancing
* **Data Location**: Belgium (europe-west1)
* **Personal Data**: Yes - authentication, file storage, messaging
* **Certifications**: SOC 2 Type II, ISO 27001, GDPR compliant
* **Service Authentication**: Service accounts with encrypted JSON keys
* **Administration Authentication**: Google Account (Keychain-generated password) + 2FA
* **Service Access Control**: IAM roles with principle of least privilege
* **Administration Access Control**: Organization-level IAM with project-specific permissions
* **Criticality**: Critical

**Firebase Auth** (Google LLC)

* **Purpose**: User authentication
* **Data Location**: US
* **Personal Data**: Yes - authentication credentials, user identifiers
* **Certifications**: SOC 2 Type II, ISO 27001, GDPR compliant
* **Service Authentication**: Service accounts with encrypted JSON keys
* **Administration Authentication**: Google Account (Keychain-generated password) + 2FA
* **Service Access Control**: Firebase Security Rules with project-scoped service accounts
* **Administration Access Control**: Organization-level IAM with project-specific permissions
* **Criticality**: Critical

#### **Application Services**

**Vercel** (Vercel Inc.)

* **Purpose**: Web application hosting and CDN
* **Data Location**: France (AWS eu-west-3)
* **Personal Data**: Limited - session cookies, request logs
* **Certifications**: SOC 2 Type II
* **Service Authentication**: API tokens with project-specific scope
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA
* **Service Access Control**: Token-based access with resource restrictions
* **Administration Access Control**: Team roles and project-level permissions with principle of least privilege
* **Criticality**: Critical

**Resend** (Resend Inc.)

* **Purpose**: Transactional email delivery
* **Data Location**: Ireland (AWS eu-west-1)
* **Personal Data**: Yes - email addresses, delivery metadata
* **Certifications**: SOC 2 Type II
* **Service Authentication**: API keys
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA or OTP
* **Service Access Control**: API key permissions and domain restrictions
* **Administration Access Control**: Team member roles and sending domain permissions
* **Criticality**: Critical

**Upstash** (Upstash Inc.)

* **Purpose**: Queue management and background job processing
* **Data Location**: EU (AWS eu-central-1, Frankfurt)
* **Personal Data**: Limited - processing metadata
* **Certifications**: SOC 2 Type II
* **Service Authentication**: API tokens + signing key
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA
* **Service Access Control**: Token-based access with resource restrictions
* **Administration Access Control**: Team roles with database-specific permissions
* **Criticality**: Medium

#### Analytics and User Support <a href="#analytics-and-user-support" id="analytics-and-user-support"></a>

**PostHog** (PostHog Inc.)

* **Purpose**: User behavior analytics, session replay, error monitoring
* **Data Location**: EU (Frankfurt)
* **Personal Data**: Yes - anonymized usage data, session recordings
* **Certifications**: SOC 2 Type II, GDPR compliant
* **Service Authentication**: Publicly visible project API key with domain verification
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA
* **Service Access Control**: Write access only (to log events, no read allowed)
* **Administration Access Control**: Project-based access with role-based permissions
* **Criticality**: Medium

**Google Analytics** (Google LLC)

* **Purpose**: Web analytics and user insights
* **Data Location**: EU servers (with BigQuery export to Belgium)
* **Personal Data**: Yes - user interactions
* **Certifications**: ISO 27001, GDPR compliant
* **Service Authentication**: Measurement Protocol with API keys
* **Administration Authentication**: Google Account (Keychain-generated password) + 2FA
* **Service Access Control**: Property-scoped data collection permissions
* **Administration Access Control**: Property-level permissions and user roles
* **Data Flow**: Exported to BigQuery (Belgium) for analysis
* **Criticality**: Medium

#### AI Services

**Anthropic** (Anthropic, PBC)

* **Purpose**: AI language model API for content generation and analysis features
* **Data Location**: US
* **Personal Data**: Limited - user-submitted content processed through AI features; may include the first name and last name of the person interacting with the feature, but no further personal data
* **Certifications**: SOC 2 Type II
* **Service Authentication**: API keys
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA
* **Service Access Control**: API key permissions with usage limits
* **Administration Access Control**: Organization roles with principle of least privilege
* **Criticality**: Medium

**OpenAI** (OpenAI, LLC)

* **Purpose**: AI language model API for content generation and analysis features
* **Data Location**: US
* **Personal Data**: Limited - user-submitted content processed through AI features; may include the first name and last name of the person interacting with the feature, but no further personal data
* **Certifications**: SOC 2 Type II
* **Service Authentication**: API keys
* **Administration Authentication**: Email/password (Keychain-generated) + 2FA
* **Service Access Control**: API key permissions with usage limits
* **Administration Access Control**: Organization roles with principle of least privilege
* **Criticality**: Medium

#### Internal Operations <a href="#internal-operations" id="internal-operations"></a>

**BigQuery** (Google LLC)

* **Purpose**: Data warehouse for analytics and reporting
* **Data Location**: Belgium (europe-west1)
* **Personal Data**: Yes - aggregated and anonymized analytics data
* **Certifications**: SOC 2 Type II, ISO 27001, GDPR compliant
* **Service Authentication**: Service account with encrypted keys
* **Administration Authentication**: Google Account (Keychain-generated password) + 2FA
* **Service Access Control**: Dataset-level IAM roles with query restrictions
* **Administration Access Control**: Project-level permissions with dataset-specific access
* **Criticality**: Low

### Data Processing Safeguards <a href="#data-processing-safeguards" id="data-processing-safeguards"></a>

* **Legal Framework**: All sub-processors operate under contractual data protection obligations through their Terms of Service, Data Processing Addendums, or formal DPAs where applicable
* **International Transfers**: Standard Contractual Clauses (SCCs) implemented for non-EU processors
* **Access Controls**: API authentication with IP restrictions and rate limiting where applicable
* **Data Minimization**: Only necessary data shared with sub-processors based on service requirements

***

**For sub-processor and data processing questions, contact:** <dpo@eliapp.io>​

**Last Updated:** March 2026


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.eliapp.io/confidentialite-et-securite-en/service-overview/who-we-work-with.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.