List of Sub-processors

Last Updated: February 22, 2026

Controller: Mariusz Szlęzak

§ 1. Governance Framework

1.1 Regulatory Context and Purpose:

This comprehensive List of Sub-processors (hereinafter the “List”) is established pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and serves as a formal addendum to the Privacy Policy and Terms of Service governing the Prismare platform.

As a natural person conducting an unregistered business activity (działalność nierejestrowana) operating under the laws of the Republic of Poland, Mariusz Szlęzak (hereinafter the “Service Provider” or “Controller”) adheres to a strict doctrine of accountability and transparency regarding the digital supply chain that underpins the Service.

The Service, defined as the “Prismare” web-based trading journal and analysis platform, relies on a sophisticated ecosystem of third-party infrastructure providers (hereinafter “Sub-processors”) to deliver high-availability computing, secure data persistence, artificial intelligence capabilities, and financial transaction processing.

This document delineates the identity, location, and functional role of each Sub-processor, alongside a detailed Transfer Impact Assessment (TIA) regarding international data flows, particularly those directed toward the United States and other third countries.

1.2 Governance of Data Processing:

The Service Provider maintains a “Privacy by Design” architecture. While the Controller determines the purposes and means of processing Personal Data—specifically User Content, Account Data, and Usage Data—the technical execution of these operations is delegated to trusted Sub-processors.

The selection of these partners is governed by a rigorous vendor risk management framework that evaluates:

Legal Compliance: The existence of binding Data Processing Agreements (DPAs) incorporating Standard Contractual Clauses (SCCs) or reliance on Adequacy Decisions.
Security Posture: Certification against recognized standards such as ISO/IEC 27001, SOC 2 Type II, and PCI-DSS Level 1.
Data Sovereignty: The capability to pin data storage within the European Economic Area (EEA) where technically feasible.

The Service Provider emphasizes that while Sub-processors are utilized for infrastructure, the logical control of Personal Data remains with the Controller. All downstream processing is performed strictly in accordance with the Controller’s instructions and the Terms of Service accepted by the User.

§ 2. Core Infrastructure and Compute Layer

The foundational layer of the Prismare platform involves the physical and virtualized servers where the application logic executes. This layer is responsible for the immediate processing of User requests, the rendering of the user interface, and the orchestration of API calls to secondary services.

2.1 Hostinger (Primary Compute Provider)

Functional Role: Hostinger serves as the primary hosting environment for the Prismare web application. It provides the Virtual Private Server (VPS) and dedicated compute resources necessary to run the Next.js/Node.js application runtime. All HTTP traffic initiated by the User terminates at this infrastructure layer before being routed to databases or external APIs.

Legal Entity and Contracting Chain: The Service Provider contracts with Hostinger International Limited, a private limited company registered in the Republic of Cyprus, which acts as the contracting entity for customers located within the European Union.

Registered Office: 61 Lordou Vironos str., 6023 Larnaca, Cyprus.
Company Registration Number: HE 301365. However, the underlying physical infrastructure is operated by HOSTINGER operations, UAB, a limited liability company registered in the Republic of Lithuania.
Registered Office: Švitrigailos g. 34, 03230 Vilnius, Lithuania.
Company Number: 306308157.

Data Processing Activities:

Volatile Processing: Execution of application code in Random Access Memory (RAM), involving the temporary processing of User credentials, journal entries, and trade data during an active session.
Traffic Logging: Retention of server access logs (e.g., Nginx/Apache) containing IP addresses, browser User-Agent strings, and request timestamps for security monitoring and debugging purposes.
Session Management: Handling of authentication tokens (NextAuth.js session tokens) to maintain User login states.

Location of Processing:

Primary Data Center: Facility located in Boston, Massachusetts, United States. The Service Provider explicitly provisioned the VPS compute resources in this North American region.
Regulatory Status: The United States is considered a third country under the GDPR. Consequently, the transfer of data to Hostinger’s Boston facility constitutes a restricted international transfer. This transfer is legally safeguarded by the execution of Standard Contractual Clauses (SCCs), which are directly incorporated into the Hostinger Data Processing Addendum (DPA).

Security Measures (TOMs): Hostinger operates globally distributed data center infrastructure designed to ensure high availability and redundancy, with a 99.9% uptime guarantee under its service terms. The company’s Information Security Management System (ISMS) is certified under ISO/IEC 27001 (current publicly referenced certification version: ISO/IEC 27001:2017). Physical security measures at data center facilities include 24/7 on-site security personnel, continuous CCTV surveillance, and strict physical access controls, as provided by Hostinger and/or its infrastructure partners. Network security is reinforced by hardware firewalls, web application firewall mechanisms (including mod_security), PHP hardening mechanisms, and DDoS mitigation strategies implemented at the network level. Hostinger operates its own autonomous system (AS47583) to manage resilient global routing via BGP. The Service Provider utilizes logical isolation within its KVM-based VPS environments to ensure tenant separation and reduce the risk of cross-tenant data access.

§ 3. Data Persistence and Database Management

The persistence layer is the “source of truth” for the Prismare platform, storing all enduring User data, including account profiles, historical trade logs, and psychological notes.

3.1 MongoDB Atlas (Database-as-a-Service)

Functional Role: MongoDB Atlas provides the managed database infrastructure. It stores the structured JSON documents that comprise the User’s trading journal. This includes highly granular trade data (entry price, exit price, volume, instrument), unstructured text notes, and hashed authentication credentials.

Legal Entity:

Contracting Entity (EEA): MongoDB Ireland Limited, Building 2, Number One Ballsbridge, Shelbourne Road, Ballsbridge, Dublin 4, Ireland.
Global Parent: MongoDB, Inc., New York, USA.
Local Entity: MongoDB Poland sp. z o.o..

Location of Processing:

Data Residency: The Service Provider explicitly configures MongoDB Atlas clusters to reside within the Warsaw, Poland (Europe-Central) or Frankfurt, Germany (Europe-West) regions. This ensures that the physical storage of Personal Data remains within the EEA.
Sub-sub-processors (Infrastructure): MongoDB Atlas runs atop hyper-scale cloud providers. For the Polish and German regions, the underlying infrastructure is provided by Google Cloud Platform (GCP) or Amazon Web Services (AWS).

Transfer Mechanisms and Data Flow:

Although data is stored in the EU, MongoDB, Inc. (USA) provides operational support and maintenance. Limited transfers of metadata or support-related access may occur to the United States.

EU-U.S. Data Privacy Framework (DPF): MongoDB is a certified participant, facilitating lawful transfers to its US entities.
Standard Contractual Clauses (SCCs): The Data Processing Agreement (DPA) between the Service Provider and MongoDB incorporates SCCs to cover any transfers not encompassed by the DPF or in the event of DPF invalidation.

Encryption and Security: To mitigate the risk of unauthorized access (including by the cloud provider itself), Prismare employs encryption at rest using AES-256 volume encryption. Furthermore, sensitive fields utilize MongoDB’s Client-Side Field Level Encryption (CSFLE) where applicable, ensuring that the decryption keys are held solely by the Service Provider and not accessible to MongoDB administrators.

§ 4. Media Asset Management and Content Delivery Network (CDN)

Prismare users frequently upload graphical screenshots of financial charts. These files are typically large, binary blobs that require specialized storage and delivery networks optimized for media.

4.1. Cloudinary (Image & Video Platform)

Functional Role:

Cloudinary acts as the media management backend. When a User uploads a chart image, the file is transmitted directly from the client or via the Service Provider’s proxy to Cloudinary for storage, optimization (compression, resizing), and delivery via Content Delivery Network (CDN).

Legal Entity:

Contracting Entity: Cloudinary Ltd., 111 W Evelyn Ave, Suite 206, Sunnyvale, CA 94086, USA (or its Israeli parent, Cloudinary Ltd.).
Headquarters: Israel.

Data Processing Activities:

User Content: Storage of image files (JPG, PNG, WEBP) uploaded by Users. While these images primarily depict financial charts, they are linked to User accounts and constitute Personal Data.
Metadata Extraction: Processing of EXIF data (e.g., timestamps, software used) embedded in images.

Location of Processing:

Storage: Cloudinary utilizes Amazon Web Services (AWS) and Google Cloud Platform (GCP) for underlying storage. While Enterprise plans allow for EU-pinning, standard processing may utilize US-based buckets or global CDN nodes (e.g., Akamai, Fastly) to ensure low-latency delivery to the User.
Jurisdiction (Israel): Cloudinary’s parent company is based in Israel.

Transfer Mechanisms:

Israel Adequacy Decision: The European Commission has adopted Decision 2011/61/EU, declaring that the State of Israel provides an adequate level of data protection. Transfers to Cloudinary Ltd. in Israel are treated as intra-EU transfers.
United States: For processing by Cloudinary Inc. (USA) or storage on US servers, the transfer is legitimized via the EU-U.S. Data Privacy Framework (DPF) and the execution of Standard Contractual Clauses (SCCs).

Sub-sub-processors: Cloudinary engages the following entities to support its service delivery:

Amazon Web Services (AWS): Hosting and storage (USA/Global).
Google Cloud Platform (GCP): Hosting (USA).
Akamai Technologies: Content Delivery Network (Global).
Fastly: Content Delivery Network (Global).

§ 5. Artificial Intelligence and Generative Processing

A distinctive feature of Prismare is its AI-driven analysis, which generates trading insights, sentiment scores, and psychological summaries based on User input.

5.1. OpenAI (LLM Provider)

Functional Role:

OpenAI provides the API access to Large Language Models. The Service Provider sends textual prompts—consisting of User journal entries and trade parameters—to the OpenAI API for inference processing.

Legal Entity:

Contracting Entity (EEA): OpenAI Ireland Ltd, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, Ireland.
Data Importer: OpenAI OpCo, LLC, 3180 18th Street, San Francisco, CA 94110, USA.

Data Processing Activities:

Inference: The temporary processing of User Content (prompts) to generate “AI Content” (responses).
Abuse Monitoring: Temporary retention of API inputs and outputs for up to 30 days to monitor for violations of OpenAI’s Usage Policies (e.g., illegal content).

Location of Processing:

Primary Processing: United States. Despite contracting with the Irish entity, the computational load for LLM inference is predominantly distributed across US data centers due to GPU availability.
Data Retention Policy: The Service Provider utilizes OpenAI’s business API endpoints (Platform), not the consumer “ChatGPT” service. OpenAI does not use data submitted via the API to train or improve its models. This ensures that User trading strategies remain confidential and are not absorbed into the public model.

Transfer Mechanisms:

Standard Contractual Clauses (SCCs): Transfers from OpenAI Ireland Ltd. to OpenAI OpCo, LLC are governed by intra-group agreements incorporating the EU SCCs.
Supplementary Measures: Data in transit is encrypted via TLS 1.2+. Data at rest within OpenAI systems is encrypted. The retention period is strictly limited (30 days for abuse monitoring, zero retention for model training).

Sub-sub-processors: OpenAI utilizes the following infrastructure providers:

Microsoft Corporation (Azure): Cloud infrastructure and model hosting (USA/Global).
Cloudflare: Content Delivery Network and security (Global).

§ 6. Financial Transaction and Billing

The Service Provider does not directly process or store sensitive payment card credentials (PAN). All financial transactions are offloaded to a specialized, PCI-DSS compliant Payment Service Provider.

6.1. Stripe (Payments Platform)

Functional Role:

Stripe manages the entire subscription lifecycle, including the secure collection of credit card details via client-side tokenization, recurring billing, tax calculation (VAT), and fraud detection.

Legal Entity:

Contracting Entity (EEA): Stripe Payments Europe, Limited (SPEL), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland.
Local Entity: Stripe Payments sp. z o.o., Warsaw, Poland.
Regulated Entity: Stripe Technology Europe, Limited (STEL) acts as the licensed Electronic Money Institution.

Data Processing Activities:

Payment Data: Credit card numbers, CVC codes, and expiration dates. This data is transmitted directly from the User’s browser to Stripe’s vault. Prismare only receives a secure “token” and the last 4 digits for display purposes.
Identity Data: Name, email address, and billing address used for invoice generation.
Transaction Metadata: Risk scores, payment outcomes, and subscription status (Active/Canceled).

Location of Processing:

Global Architecture: Stripe operates a global infrastructure to detect fraud and process payments efficiently. Data is replicated between EEA (Ireland) and US data centers.

Transfer Mechanisms:

EU-U.S. Data Privacy Framework (DPF): Stripe is a certified participant, ensuring lawful transfers to its US affiliates.
Standard Contractual Clauses (SCCs): Incorporated into the Stripe Services Agreement (SSA) to cover transfers to jurisdictions not covered by an adequacy decision.

Sub-sub-processors: Stripe engages a vast network of financial institutions and technical providers, including:

Amazon Web Services (AWS): Infrastructure.
Banking Partners: E.g., Citibank Europe plc, Barclays Bank PLC.
Card Networks: Visa Europe Limited, Mastercard Europe S.A.

§ 7. Analytics and Performance Monitoring

To ensure the stability of the Service and optimize the User experience, the Service Provider collects anonymized usage statistics.

7.1. Google Analytics (GA4)

Functional Role:

Google Analytics 4 (GA4) tracks User interactions with the Platform, such as page views, feature usage, and session duration. This data helps the Service Provider identify bugs, understand user flows, and improve the UI/UX.

Legal Entity:

Contracting Entity: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Data Importer: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Data Processing Activities:

Online Identifiers: IP addresses (anonymized/truncated by default in GA4), Client IDs (cookie-based).
Device Data: Browser type, operating system, screen resolution.

Privacy Controls Implemented:

IP Anonymization: Enabled by default in GA4, ensuring full IP addresses are not logged.
Data Sharing Disabled: The Service Provider has disabled “Data Sharing” settings that would allow Google to use the data for its own benchmarking or advertising products.
Retention: Data retention for event-level data is set to the minimum standard (e.g., 2 months or 14 months), after which it is aggregated.

Transfer Mechanisms:

EU-U.S. Data Privacy Framework: Google LLC is a certified participant.
SCCs: Google’s Data Processing Terms include Controller-to-Processor SCCs.

§ 8. Transfer Impact Assessment (TIA) and Supplementary Measures

In light of the “Schrems II” judgment (Case C-311/18) by the Court of Justice of the European Union (CJEU), the Service Provider has conducted a Transfer Impact Assessment regarding transfers of Personal Data to the United States (relevant for OpenAI, Stripe, Cloudinary, and Google).

8.1. Assessment of US Surveillance Laws

The Service Provider acknowledges that US cloud providers are subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, which may compel them to disclose data to US intelligence agencies.

8.2. Nature of Data and Risk Profile

The Personal Data processed (trading journal entries, technical charts) does not typically include “Special Category Data” (Art. 9 GDPR) such as health, biometric, or political data. The risk to the rights and freedoms of the User in the event of government access is assessed as Low, given the context of hobbyist/retail trading data.

8.3. Supplementary Technical Measures

To ensure a level of protection essentially equivalent to that guaranteed within the EU, the Service Provider and its Sub-processors implement the following technical safeguards:

Encryption in Transit: All data transfers are protected by TLS 1.2 or higher (Transport Layer Security).
Encryption at Rest: Sub-processors (MongoDB, Stripe, OpenAI) employ encryption for data at rest.
Data Minimization: Prismare transmits only the data strictly necessary for the specific function (e.g., Stripe receives payment data, OpenAI receives prompt text only).
Legal Defense: Major Sub-processors (Google, Microsoft/OpenAI, AWS) have committed to challenging unlawful or overbroad government access requests.

8.4. Conclusion

Based on the reliance on the EU-U.S. Data Privacy Framework (DPF), the execution of Standard Contractual Clauses (SCCs), and the implementation of robust encryption, the Service Provider concludes that the transfer of Personal Data to the listed Sub-processors is lawful and secure.

§ 9. User Rights and Notifications

9.1. Updates to the Sub-processor List

The Service Provider reserves the right to engage new Sub-processors or replace existing ones to improve the Service functionality or security. The current version of this list will always be available at https://prismare.ai/legal-documents/sub-processors.

9.2. Notification and Objection

In accordance with the Privacy Policy, the Service Provider will notify Users of any material changes to this List, specifically the addition of Sub-processors involving a change in jurisdiction or risk profile, at least 30 days prior to the engagement. Notification will be sent via email or a prominent dashboard notice.

Users have the right to object to a new Sub-processor on reasonable grounds related to the protection of their Personal Data. If a User objects, and the Service Provider cannot provide a commercially reasonable alternative, the User may terminate their subscription and receive a pro-rated refund for the unused period.

§ 10. Contact Information

For inquiries regarding this List, to request redacted copies of Data Processing Agreements, or to exercise rights regarding data transfers, please contact the Data Protection Officer:

Mariusz Szlęzak

Email: [email protected]

Address: ul. Na Szlakowisku 9/130, 27-200 Starachowice, Poland

Appendix A: Summary Table of Authorized Sub-processors

Sub-processor	Corporate Location	Service Location (Data Center)	Functional Role	Transfer Mechanism
Hostinger International Ltd.	Cyprus / Lithuania	USA (Boston)	Web Hosting & Compute	SCCs
MongoDB, Inc.	USA / Ireland	Poland (Warsaw) / Germany	Database Hosting	EU-U.S. DPF / SCCs
Cloudinary Ltd.	Israel / USA	Global (CDN) / USA	Image & Media Management	Adequacy Decision (Israel) / SCCs
OpenAI Ireland Ltd.	Ireland	USA / EU	AI Model Inference	SCCs (Ireland to US)
Stripe Payments Europe, Ltd.	Ireland	Ireland / Global	Payment Processing	EU-U.S. DPF / SCCs
Google Ireland Ltd. (Analytics)	Ireland	Ireland / USA	Usage Analytics	EU-U.S. DPF / SCCs

Note: The “Service Location” denotes the primary region where User Content is persisted or processed. Backup and redundancy workflows may utilize secondary regions defined in the respective vendor’s sub-processor documentation.

Contact Us

Via Email: [email protected]
Via this Link: https://prismare.ai/contact
Mailing Address: Mariusz Szlęzak, ul. Na Szlakowisku 9/130, 27-200 Starachowice, Poland