This page contains a list of third-party providers ("Sub-processors" or "Sub-data processors") that 3RD ApS ("3RD") uses to deliver our SaaS platform and services.
In accordance with GDPR and our Data Processing Agreement (DPA), we notify changes to this list at least 30 days before implementation.
1. Why Do We Use Sub-processors?
3RD uses reliable third-party providers to:
- Host and operate infrastructure
- Provide AI and LLM capabilities
- Process payments
- Deliver support and analytics tools
- Monitor security and performance
All sub-processors are subject to appropriate data protection agreements in accordance with GDPR.
2. Categories of Sub-processors
2.1 Infrastructure and Hosting
Providers that host the Services and store customer data.
2.2 AI and LLM Providers
Providers of AI models that process customer content to generate output.
2.3 Payment Processing
Payment providers that process billing information.
2.4 Support and Operations
Tools for customer support, monitoring and operations.
2.5 Analytics and Improvement
Tools for analyzing platform usage and improving the Services.
3. Current Sub-processors
Infrastructure and Hosting
Amazon Web Services (AWS)
- Entity: Amazon Web Services EMEA SARL
- Country: Luxembourg (EU)
- Data processing: EU regions (Frankfurt, Ireland)
- Purpose: Cloud hosting, computing, storage, database
- Data types: Customer data, user data, system logs
- Data protection: EU-US Data Privacy Framework, Standard Contractual Clauses
- Website: https://aws.amazon.com
- Privacy: https://aws.amazon.com/privacy
Google Cloud Platform (GCP)
- Entity: Google Cloud EMEA Limited
- Country: Ireland (EU)
- Data processing: EU regions (Belgium, Finland, Netherlands)
- Purpose: Cloud hosting, database, storage, backup
- Data types: Customer data, user data, backup data
- Data protection: EU-US Data Privacy Framework, Standard Contractual Clauses
- Website: https://cloud.google.com
- Privacy: https://cloud.google.com/privacy
AI and LLM Providers
OpenAI
- Entity: OpenAI OpCo, LLC
- Country: USA
- Data processing: USA (primarily), EU (certain models)
- Purpose: AI-driven analysis, scoring, generation of insights
- Data types: Prompts, queries, customer content (temporary)
- Retention: Zero-retention for API requests (Business tier)
- Data protection: Standard Contractual Clauses, EU-US Data Privacy Framework
- Website: https://openai.com
- Privacy: https://openai.com/privacy
- DPA: https://openai.com/enterprise-privacy
Anthropic
- Entity: Anthropic PBC
- Country: USA
- Data processing: USA
- Purpose: AI-driven analysis, generation of recommendations
- Data types: Prompts, queries, customer content (temporary)
- Retention: Zero-retention for API requests
- Data protection: Standard Contractual Clauses
- Website: https://anthropic.com
- Privacy: https://anthropic.com/legal/privacy
- DPA: Available upon request
Google AI (Gemini/PaLM)
- Entity: Google LLC
- Country: USA
- Data processing: USA, EU (depending on configuration)
- Purpose: AI analysis and generation
- Data types: Prompts, queries, customer content (temporary)
- Retention: Zero-retention for Vertex AI
- Data protection: EU-US Data Privacy Framework, Standard Contractual Clauses
- Website: https://cloud.google.com/vertex-ai
- Privacy: https://cloud.google.com/privacy
Payment Processing
Stripe
- Entity: Stripe Payments Europe, Ltd.
- Country: Ireland (EU)
- Data processing: EU, USA
- Purpose: Payment processing, billing, subscription management
- Data types: Payment information, billing details
- Status: Independent data controller (not sub-processor for payment data)
- Data protection: PCI DSS Level 1, Standard Contractual Clauses
- Website: https://stripe.com
- Privacy: https://stripe.com/privacy
*Note: Stripe acts as independent data controller for payment information. Customer's relationship with Stripe is governed by Stripe's own terms.*
Support and Operations
Intercom
- Entity: Intercom R&D Unlimited Company
- Country: Ireland (EU)
- Data processing: USA, EU
- Purpose: Customer support chat, helpdesk, communication
- Data types: Usernames, emails, support messages
- Data protection: Standard Contractual Clauses, EU-US Data Privacy Framework
- Website: https://intercom.com
- Privacy: https://intercom.com/legal/privacy
- DPA: https://intercom.com/legal/dpa
Sentry
- Entity: Functional Software, Inc. (dba Sentry)
- Country: USA
- Data processing: USA
- Purpose: Error tracking, performance monitoring
- Data types: Error logs, performance data, user IDs (hashed)
- Data protection: Standard Contractual Clauses
- Website: https://sentry.io
- Privacy: https://sentry.io/privacy
- DPA: https://sentry.io/legal/dpa
Analytics and Improvement
Posthog
- Entity: PostHog Inc.
- Country: USA
- Data processing: EU (self-hosted or EU cloud)
- Purpose: Product analytics, feature flags, session replay
- Data types: Anonymized usage data, feature usage, clicks
- Data protection: EU hosting option, Standard Contractual Clauses
- Website: https://posthog.com
- Privacy: https://posthog.com/privacy
- DPA: https://posthog.com/dpa
4. Data Processing Outside the EU
The following sub-processors process data outside the EU/EEA:
| Sub-processor | Country | Region of Data | Transfer Mechanism | Purpose |
|---|
| OpenAI | USA | USA (primarily), EU (certain models) | SCC + EU-US DPF | AI processing |
| Anthropic | USA | USA | SCC | AI processing |
| Google AI | USA/EU | USA, EU (configurable) | SCC + EU-US DPF | AI processing |
| Sentry | USA | USA | SCC | Error monitoring |
| Intercom | USA/EU | USA, EU | SCC + EU-US DPF | Support |
Transfer Mechanisms:
- SCC: EU Commission Standard Contractual Clauses
- EU-US DPF: EU-US Data Privacy Framework (adequacy decision)
5. Sub-processor Security
All sub-processors are selected based on:
- Security certifications: ISO 27001, SOC 2 Type II, etc.
- GDPR compliance: Documented compliance programs
- Data Processing Agreements: Signed DPAs with all sub-processors
- Security assessments: Regular vendor security reviews
- Incident response: Established security incident procedures
6. Changes to Sub-processors
6.1 Notice
Addition or replacement of sub-processors will be notified at least 30 days before implementation via:
- Email to account administrator
- Notification via platform
- Update of this page
6.2 Right to Object
If you have reasonable data protection objections to a new sub-processor:
- Submit written objection to privacy@get3rd.com within 14 days
- Specify the objection (data protection basis)
- 3RD will attempt to find alternative solution
- If not possible, you may terminate subscription with effect from the date the sub-processor is implemented
6.3 History
Previous sub-processors and changes are documented in section 8 below.
7. Customer-Specific Sub-processors
For Enterprise customers with special requirements, the following may be agreed:
- Individual approval of sub-processors
- Limitation to EU-based sub-processors
- Private AI endpoints with dedicated infrastructure
- Opt-out of specific sub-processors (may affect functionality)
Contact enterprise@get3rd.com for more information.
8. Change History
| Date | Change | Type | Notice |
|---|
| January 7, 2026 | Initial sub-processor list | N/A | N/A |
| [Future changes shown here] |
9. Contact
For questions about sub-processors:
3RD ApS
Pilestræde 52A
DK-1112 Copenhagen K
Denmark
Privacy and DPA: privacy@get3rd.com
Security: security@get3rd.com
Enterprise: enterprise@get3rd.com
Related documents:
- Data Processing Agreement (DPA): https://trust.get3rd.com/dpa
- Privacy Policy: https://trust.get3rd.com/privacy
- Security documentation: Upon request for Enterprise customers
*This list is continuously updated. Bookmark this page to stay informed.*
