Sub-processors
Last Updated: May 11, 2026
This page lists the third parties engaged by TONVI TECH S.L. (trading as Upload-Post) as Sub-processors to process Personal Data on behalf of our business customers, in connection with the Services. This list forms part of, and is incorporated by reference into, our Data Processing Agreement (DPA) under Article 28 GDPR.
All Sub-processors listed below are subject to written agreements containing data protection obligations no less protective than those set out in our DPA, as required by Article 28(4) GDPR.
Current Sub-processors
| Sub-processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Cloud hosting and infrastructure; storage of application data, databases (MongoDB, Redis), and back-ups. | Intra-EEA; no third-country transfer. |
| Cloudflare, Inc. (R2 Object Storage) | European Union (EU jurisdictional restriction enabled) | Object storage for media files (images, video) uploaded for publication via the Services. | EU jurisdiction; Personal Data is stored and processed within the EU. EU Standard Contractual Clauses (SCCs) apply to any incidental transfers to the United States (Cloudflare's parent entity). |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Ireland (EU) / United States | Payment processing, billing and invoicing. | EU SCCs and additional measures; Stripe operates under the EU-U.S. Data Privacy Framework where applicable. |
| PostHog Inc. | European Union (EU region) | Product analytics, feature usage and telemetry. | Intra-EEA; Upload-Post uses PostHog's EU region. Any incidental transfers are covered by EU SCCs. |
Social Media Platform Recipients
In addition to the Sub-processors listed above, Personal Data is transmitted to the social media platforms connected by the customer for the purpose of publishing content (including, without limitation, Meta Platforms, Inc., TikTok Ltd., Google LLC / YouTube, X Corp., LinkedIn Corporation, Pinterest Inc., Reddit Inc., Bluesky PBLLC, and Threads). These platforms act as independent controllers of the Personal Data once received and apply their own terms of service, privacy policies and international transfer mechanisms. Upload-Post acts merely as a technical conduit for these transmissions and is not a Sub-processor in respect of the platforms' subsequent Processing.
Notification of Changes
We will provide notice of any intended addition or replacement of Sub-processors at least thirty (30) days before the change takes effect, by updating this page and, for customers who have signed a DPA, by email. Customers under a signed DPA may object to a change on reasonable data protection grounds within fifteen (15) days of notice, in accordance with the procedure set out in our DPA.
Contact
Questions about our Sub-processors, data residency, or the applicable transfer mechanisms can be sent to [email protected].
For the full GDPR Article 28 framework governing our Processing on behalf of business customers, see our Data Processing Agreement page. For an overview of how we handle Personal Data more broadly, see our Privacy Policy.