Sub-processors
Last Updated: May 29, 2026
This page lists the third parties engaged by TONVI TECH S.L. (trading as Upload-Post) as Sub-processors to process Personal Data on behalf of our business customers, in connection with the Services. This list forms part of, and is incorporated by reference into, our Data Processing Agreement (DPA) under Article 28 GDPR.
All Sub-processors listed below are subject to written agreements containing data protection obligations no less protective than those set out in our DPA, as required by Article 28(4) GDPR.
For security reasons, Sub-processors are identified below by category and function rather than by individual corporate name. The specific identity of each Sub-processor (including legal name and country of establishment) is disclosed to business customers who have entered into our Data Processing Agreement, and to any controller on request, by emailing [email protected]. This does not affect your right to be informed of, and to object to, changes of Sub-processor under the notice procedure described below.
Current Sub-processors
| Sub-processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| Cloud hosting and infrastructure provider | European Union | Cloud hosting and infrastructure; storage of application data, databases, and back-ups. | Intra-EEA; no third-country transfer. |
| Object storage provider | European Union (EU jurisdictional restriction enabled) | Object storage for media files (images, video) uploaded for publication via the Services. | EU jurisdiction; Personal Data is stored and processed within the EU. EU Standard Contractual Clauses (SCCs) apply to any incidental transfers outside the EEA. |
| Payment and billing providers | European Union / United Kingdom / United States | Payment processing, merchant-of-record services, tax calculation, billing and invoicing. | EU SCCs, UK adequacy and additional measures; providers operate under the EU-U.S. Data Privacy Framework where applicable. |
| Product analytics provider | European Union (EU region) | Product analytics, feature usage and telemetry. | Intra-EEA; EU region is used. Any incidental transfers are covered by EU SCCs. |
| Transactional email and support providers | European Union / United States | Transactional emails, account notices, support tickets and customer communications. | EU SCCs, EU-U.S. Data Privacy Framework where applicable, and provider-specific data processing terms. |
| Optional AI providers Leading third-party AI providers, only when AI features are enabled or requested | European Union / United States | Generating, improving, translating, summarizing, classifying or optimizing captions, titles, descriptions, hashtags, posting times and related metadata. | EU SCCs, EU-U.S. Data Privacy Framework where applicable, and contractual no-training/no-retention settings where available. |
Optional AI processing: AI providers are used for AI-powered features. Third-party AI providers do not train their own models on customer User Content (contractual no-training/no-retention settings where available). Upload-Post itself uses customer User Content and associated analytics — in aggregated/anonymized form and, where reasonably necessary, in identifiable form — to develop, train, and improve its own and shared AI models and features offered to all users, as authorized by use of the Services under our Terms of Use.
Social Media Platform Recipients
In addition to the Sub-processors listed above, Personal Data is transmitted to the social media platforms connected by the customer for the purpose of publishing content (including, without limitation, Meta Platforms, Inc., TikTok Ltd., Google LLC / YouTube, X Corp., LinkedIn Corporation, Pinterest Inc., Reddit Inc., Bluesky PBLLC, and Threads). These platforms act as independent controllers of the Personal Data once received and apply their own terms of service, privacy policies and international transfer mechanisms. Upload-Post acts merely as a technical conduit for these transmissions and is not a Sub-processor in respect of the platforms' subsequent Processing.
Notification of Changes
We will provide notice of any intended addition or replacement of Sub-processors at least thirty (30) days before the change takes effect, by updating this page and, for customers who have signed a DPA, by email. Customers under a signed DPA may object to a change on reasonable data protection grounds within fifteen (15) days of notice, in accordance with the procedure set out in our DPA.
Contact
Questions about our Sub-processors, data residency, or the applicable transfer mechanisms can be sent to [email protected].
For the full GDPR Article 28 framework governing our Processing on behalf of business customers, see our Data Processing Agreement page. For an overview of how we handle Personal Data more broadly, see our Privacy Policy.