Sub-Processor List.
TL;DR. Complete list of all sub-processors we use in delivering our services — with location, function, contract status and data access scope. GDPR Art. 28-compliant. Machine-readable at /.well-known/sub-processors.json.
Status and scope
This list covers all processors we use to deliver contracted services. It is maintained and communicated in writing to all active clients within 14 days of any change. A machine-readable variant is available at /.well-known/sub-processors.json and can be imported into compliance tooling.
For finance clients with DORA obligations: a separate DORA Sub-Processor Architecture Register is provided and delivered client-specifically.
Where to get the full details
The short list on this page is the publicly available version. Detailed contract specifics, audit scopes per sub-processor and risk scoring are provided under NDA — we set up an NDA process within 48 hours. For active clients, the full list is part of the Data Processing Addendum.
Categories
We distinguish three categories of sub-processor:
- Infrastructure — hosting, data centres, network services
- Operations Tools — monitoring, logging, ticketing, communications
- Model Providers — LLM and AI model providers (for clients using these models — BYO-Key standard)
All EU sub-processors are directly subject to GDPR. For non-EU sub-processors, we use EU Standard Contractual Clauses and conduct Transfer Impact Assessments. US sub-processors are only used if (a) the client explicitly consents and (b) no personal or sensitive data is transferred.
Status and scope
| Infrastructure location | Germany / EU · primarily Hetzner, IONOS, OVH-EU |
|---|---|
| Data residency (default) | Germany (Frankfurt, Nuremberg) · EU alternatives available |
| Model providers | Anthropic, OpenAI, Mistral, local Llama/GPT-OSS · BYO-Key |
| Sub-processors outside the EU | Only with client consent · SCC + TIA |
| Change notice | 14 days before effective date to active clients |
| JSON variant | /.well-known/sub-processors.json |
| DORA register | Available for finance clients · client-specific |
| Machine format | JSON-Schema documented · stable since v1 |
Questions often asked before contract
-
How quickly are changes communicated?
14 days before effective date to all active clients — in writing, with justification. For sub-processor changes that alter the risk class, the notice period is 30 days. -
Can we object to a sub-processor?
Yes — via the Data Processing Addendum. Standard: 14-day objection period after notice. If the sub-processor is essential and the objection cannot be resolved, termination of the client agreement for cause is possible. -
Are model providers listed as sub-processors?
Only if dynexo provides model access. With BYO-Key (standard), data flows directly from client to provider — we are not a sub-processor in that chain. -
Is this sufficient for DORA audits?
The public list is an overview. The DORA Sub-Processor Architecture Register (Art. 28) is a separate document with risk scoring, substitutability analysis and ICT concentration risk assessment. Provided to finance clients under NDA.
Full sub-processor list under NDA.
NDA process in 48 hours. For finance clients, additional DORA Architecture Register. Machine-readable JSON variant publicly available.