Floynk logo

Sub-processors

List of sub-processors used by Floynk (DigitX B.V.) to deliver our marketplace management services.

Probeer Gratis

Sub-processors

Effective date: 21 April 2026

Floynk is a brand of DigitX B.V. (KvK 82240264, Nijmegen, the Netherlands). This page lists every third party that may process personal data on our behalf under Article 28 GDPR, together with the service they provide, where their processing takes place, and what safeguards are in place. It is kept current — when we add a new sub-processor we update this page and the effective date above.

If you want to receive direct email notification at least 30 days before a new sub-processor begins processing personal data, email legal@floynk.com and we'll add you to the notification list.

1. Primary hosting and infrastructure

Hetzner Online GmbH

  • Service: Dedicated and cloud servers, block and object storage
  • Role: Hosts the Floynk application, background workers, on-premise Redis, and offline database backups
  • Data location: Germany — Falkenstein (FSN1) and Nuremberg (NBG1)
  • Data processed: All application data, logs, encrypted backups
  • Legal entity: Hetzner Online GmbH, Germany
  • Transfer mechanism: None required — EEA processing
  • Safeguards: ISO 27001 certified data centres, DPA in place

Supabase, Inc.

  • Service: Managed PostgreSQL (Pro XXL), authentication, storage, realtime
  • Role: Primary customer database, user authentication, file storage
  • Data location: AWS eu-central-1 (Frankfurt, Germany)
  • Data processed: All customer data (account, marketplace, orders, products, users)
  • Legal entity: Supabase, Inc., United States
  • Transfer mechanism: Standard Contractual Clauses + EU Data Processing Addendum; processing itself stays in Frankfurt
  • Safeguards: SOC 2 Type II, HIPAA, encryption at rest (AES-256) and in transit (TLS 1.3), point-in-time recovery

2. Messaging, caching, and background processing

84codes AB (CloudAMQP)

  • Service: Managed RabbitMQ message broker
  • Role: Task queues for background jobs, marketplace sync, repricer, webhooks
  • Data location: EU region
  • Data processed: Job payloads (may contain customer and order data in transit)
  • Legal entity: 84codes AB, Sweden
  • Transfer mechanism: None required — EEA processing
  • Safeguards: Encryption in transit, DPA in place

Redis (self-hosted)

  • Service: In-memory cache and session store
  • Role: Caching and short-lived state
  • Data location: Germany (Hetzner, our own servers)
  • Note: Self-hosted on our infrastructure. Listed for transparency; not a sub-processor.

3. Transactional email

Mailgun (Sinch Email)

  • Service: Transactional email delivery (account emails, password resets, notifications, receipts)
  • Data location: EU region
  • Data processed: Recipient email address, email subject and body
  • Legal entity: Sinch Email AB (Mailgun), Sweden / United States
  • Transfer mechanism: Standard Contractual Clauses; EU region selected
  • Safeguards: ISO 27001, SOC 2, GDPR-compliant DPA

4. Marketing communications and live chat

Sendinblue SAS (Brevo)

  • Service: Marketing email campaigns and in-app / website live chat
  • Role: Newsletters, product updates, chat widget on www.floynk.com and app.floynk.com
  • Data location: European Union (France, Germany)
  • Data processed: Email address, marketing preferences, chat transcripts, IP address
  • Legal entity: Sendinblue SAS, France
  • Transfer mechanism: None required — EEA processing
  • Safeguards: ISO 27001, GDPR-compliant DPA

5. Analytics and error tracking

PostHog Inc. (EU region)

  • Service: Product and web analytics, session behaviour, feature flags
  • Data location: eu.i.posthog.com — Frankfurt, Germany
  • Data processed: Page views, events, anonymised user behaviour, IP address (processed then hashed)
  • Legal entity: PostHog Inc., United States
  • Transfer mechanism: Standard Contractual Clauses; EU region explicitly selected so processing stays in Frankfurt
  • Safeguards: SOC 2 Type II, GDPR-compliant DPA

Functional Software, Inc. (Sentry)

  • Service: Application error and performance monitoring
  • Data processed: Stack traces, application logs, browser and OS metadata, user ID (internal Floynk ID only)
  • Legal entity: Functional Software, Inc., United States
  • Transfer mechanism: Standard Contractual Clauses
  • Safeguards: SOC 2 Type II, scrubbing rules configured to strip request bodies and sensitive headers

Google Ireland Limited (Google Analytics 4)

  • Service: Aggregated marketing website analytics (via Google Tag Manager)
  • Scope: www.floynk.com only, behind cookie consent
  • Data processed: Anonymised IP, page views, referrer, device category
  • Legal entity: Google Ireland Limited, Ireland
  • Transfer mechanism: Standard Contractual Clauses for any onward transfer to Google LLC; IP anonymisation enabled
  • Safeguards: Consent-gated via Cookiebot, IP anonymisation, data retention limited to 14 months

6. Payment processing

Stripe Payments Europe, Ltd.

  • Service: Card payments, subscription billing, invoicing
  • Data location: Ireland (EU operations)
  • Data processed: Payment card data (handled directly by Stripe, never touches Floynk servers), billing address, VAT ID, company name
  • Legal entity: Stripe Payments Europe, Ltd., Ireland
  • Transfer mechanism: Standard Contractual Clauses for any onward transfer
  • Safeguards: PCI DSS Level 1, SOC 1 & SOC 2

Mollie B.V.

  • Service: Alternative payment methods (iDEAL, SEPA, Bancontact, etc.)
  • Data location: The Netherlands
  • Data processed: Payment details, billing address, transaction data
  • Legal entity: Mollie B.V., the Netherlands
  • Transfer mechanism: None required — EEA processing
  • Safeguards: PCI DSS Level 1, ISO 27001

7. Security services

Cloudflare, Inc. (Turnstile)

  • Scope: CAPTCHA / bot-protection challenges on sign-up and public forms only. We do not use Cloudflare for DNS, CDN, WAF, or any other service.
  • Data processed: IP address, browser signals, challenge outcome
  • Legal entity: Cloudflare, Inc., United States
  • Transfer mechanism: Standard Contractual Clauses
  • Safeguards: SOC 2, ISO 27001, privacy-preserving challenge design (no cookies set by Turnstile itself)

8. Artificial intelligence

Anthropic PBC (Claude API)

  • Service: Backend AI assistant for internal product features
  • How we use it: Customer-facing features call Claude via our backend. Before any request leaves our servers we strip customer personal data: names, email addresses, phone numbers, street names, and city are removed. Only postal code, house number, and country may be sent when order-geography context is required. We do not fine-tune models with customer data and we do not allow Anthropic to use our data for training (Zero Data Retention / opt-out enabled where available).
  • Data location: United States
  • Legal entity: Anthropic PBC, United States
  • Transfer mechanism: Standard Contractual Clauses
  • Safeguards: SOC 2 Type II; API traffic over TLS 1.3; input scrubbing enforced server-side before any API call

9. Container registry (no personal data)

Docker, Inc. (Docker Hub)

  • Service: Private container image registry
  • Data processed: None. Images contain application code only — no customer data, no production secrets, no environment variables are baked in. Secrets are injected at runtime from our infrastructure.
  • Legal entity: Docker, Inc., United States
  • Note: Listed for transparency. Docker Hub is not a sub-processor under Article 28 because it does not process personal data.

10. Marketplaces and e-commerce platforms (customer-controlled)

When you connect your bol.com, Amazon, Shopify, WooCommerce, or Mirakl account, Floynk acts on your behalf using credentials or OAuth tokens you provide. Those marketplaces are your data processors under your relationship with them, not Floynk's sub-processors. We pass data to them only to carry out your explicit instructions (sync a product, accept an order, update stock).

11. How we manage sub-processors

  • Before onboarding: we assess the vendor's security posture, data location, certifications, and DPA terms.
  • Ongoing: we maintain a DPA with every sub-processor that processes personal data and monitor their compliance posture.
  • Changes: additions are announced on this page at least 30 days in advance of the effective date. Customers on the notification list receive direct email notice.
  • Objection: if you object to a new sub-processor on reasonable data-protection grounds, email legal@floynk.com. We will either address the concern or, if no resolution is possible, allow you to terminate the affected services without penalty.

12. International transfers

Where a sub-processor is based outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) together with appropriate supplementary measures (encryption in transit and at rest, access controls, data minimisation). A Transfer Impact Assessment is on file for each US-based sub-processor.

13. Contact

DigitX B.V. (trading as Floynk) Jonkerbosplein 52, 6534 AB Nijmegen, the Netherlands KvK 82240264

Last updated: 21 April 2026.