Sub-Processors
Overview of the sub-processors engaged by Datargo GmbH, their processing purposes and processing locations, as well as the procedure for change notification and objection.
1. Subject Matter and Relationship to the Data Processing Agreement
(1) This overview lists the sub-processors (hereinafter “sub-processors”) that Datargo GmbH, Frankfurt am Main (hereinafter “Datargo”), engages for the processing of personal data of its business customers in connection with the provision of the modules Datargo Monitor, Datargo CRM, Datargo ID, Datargo ERP and NextPKI, as well as the bundle offering Datargo One (individually and collectively hereinafter the “Services”).
(2) This overview forms part of the Data Processing Agreement (DPA) pursuant to Art. 28 GDPR and gives concrete effect to its Section 7 (engagement of further processors). To the extent there are conflicts between this overview and the DPA, the DPA shall prevail in matters concerning the processing of personal data. Where an individual agreement deviates from this overview, that individual agreement shall prevail (Section 305b BGB (German Civil Code)). This provision applies exclusively in relation to entrepreneurs within the meaning of Section 14 BGB, to legal persons under public law and to special funds under public law (purely B2B).
(3) A sub-processor is a further processor engaged by Datargo within the meaning of Art. 28 (4) GDPR who processes the customer’s personal data on behalf of Datargo. Datargo contractually binds each sub-processor to data protection obligations equivalent to those of the DPA, in particular to sufficient guarantees for the implementation of appropriate technical and organisational measures (Art. 28 (4) GDPR). If a sub-processor fails to fulfil its data protection obligations, Datargo shall remain liable to the customer for the sub-processor’s compliance with its obligations in accordance with the liability provision of the main agreement.
2. EU Hosting and Processing Location
(1) Datargo engages sub-processors exclusively within the European Union. The processing of personal data takes place exclusively within the European Union; the hosting of the Services is carried out on Datargo GmbH’s own infrastructure with its own autonomous system (AS) in a data centre in Frankfurt am Main. The technical reachability and availability checks (check regions/check nodes) are carried out in part via the infrastructure of third-party providers worldwide; at these check nodes, only non-personal raw data of the server checks are processed, no personal data of the customers, which remain within the European Union.
(2) The sub-processors listed in this overview process personal data principally within the European Union. One exception is the delivery of app push notifications via Apple’s push service (Apple Inc., USA, Apple Push Notification service): the associated transfer to the USA is safeguarded by the EU-US Data Privacy Framework (Art. 45 GDPR) and supplementary Standard Contractual Clauses. Where Datargo engages the EU-based entity of a provider with a US parent company (Twilio Ireland Limited for SMS and voice alerting), processing nonetheless takes place exclusively within the EU; supplementary Standard Contractual Clauses are in place to counter any governmental access via the parent company (for instance under the US CLOUD Act). This is to be distinguished from payment processing in connection with Datargo’s own contract billing (payment service provider Stripe, Stripe, LLC, USA): this is carried out not as processing on behalf of the customer, but under Datargo’s own responsibility; the associated transfer to the USA is safeguarded by the EU-US Data Privacy Framework (Art. 45 GDPR) and supplementary Standard Contractual Clauses (details in the Privacy Policy ). Should, beyond this, exceptionally and subject to separate agreement, processing by a sub-processor outside the European Union come into consideration, this shall take place only under the conditions of Section 9 of the DPA (in particular an adequacy decision or Standard Contractual Clauses together with a Transfer Impact Assessment); such a sub-processor would be separately identified in the list below with the corresponding transfer mechanism.
3. General Authorisation, Change Notification and Objection
(1) General authorisation. Upon conclusion of the DPA , the customer grants Datargo general written authorisation to engage sub-processors within the meaning of Art. 28 (2) sentence 1 and (4) GDPR. The sub-processors listed below are deemed authorised upon conclusion of the contract.
(2) Change notification. Datargo shall inform the customer in advance of any intended addition or replacement of a sub-processor, with a notice period of at least 30 days before the intended engagement. Notification shall be made by updating this overview as well as additionally via the notification service described below (see Section 5).
(3) Right of objection. The customer may object to the addition or replacement of a sub-processor within 14 days of notification, in text form and for an important reason grounded in data protection law. If no objection is made within this period, the change shall be deemed authorised. An important data protection reason exists in particular where there are concrete indications that the sub-processor does not offer the guarantees required under the DPA and data protection law.
(4) Legal consequences of the objection. If the customer objects in due time and for an important reason, the parties shall endeavour to reach an amicable solution. Datargo will examine whether the Service concerned can be provided without the sub-processor or with an alternative sub-processor. If an amicable solution cannot be reached and Datargo adheres to the use of the sub-processor concerned, the customer is entitled to extraordinarily terminate the part of the Services affected by the change with reasonable notice. No further claims exist in this respect. The provisions of Section 7 of the DPA shall otherwise be authoritative.
4. Current Sub-Processors
(1) The overview below identifies the sub-processors engaged as at the date of publication, together with their processing purpose, processing location, categories of processed data and transfer mechanism.
Note: The list below names the sub-processors actually engaged as at the date of publication. It is published in the Trust Center and updated upon any change in accordance with Sections 3 and 5.
| Provider / Sub-Processor | Purpose / Service | Categories of Processed Data | Processing Location | Transfer Mechanism | Status |
|---|---|---|---|---|---|
| regfish GmbH, Germany | transactional email delivery (system and notification emails, in particular Datargo Monitor and Datargo CRM) | recipient email address, name, message content of the notification | Germany (EU) | EU processing, no third-country transfer | active |
| Twilio Ireland Limited, Ireland | delivery of SMS notifications in connection with alerting (Datargo Monitor), EU data residency | recipient telephone number, content of the notification | Ireland (EU) | EU processing; supplementary Standard Contractual Clauses vis-a-vis the US parent company (Twilio Inc.) | active |
| Twilio Ireland Limited, Ireland | delivery of voice calls in connection with escalation and alerting workflows (Datargo Monitor), EU data residency | recipient telephone number, content of the voice notification | Ireland (EU) | EU processing; supplementary Standard Contractual Clauses vis-a-vis the US parent company (Twilio Inc.) | active |
| Apple Inc., USA | delivery of app push notifications to the mobile app (Datargo Monitor) via the Apple Push Notification service | device token, content of the push notification | USA | EU-US Data Privacy Framework (Art. 45 GDPR) and supplementary Standard Contractual Clauses | active |
(2) Processing by the sub-processors named in the list is in each case carried out exclusively for the stated purpose and within the scope of the customer’s instructions and Datargo’s specifications.
5. Notification Service for New Sub-Processors
(1) Datargo provides a notification service through which customers are informed of intended changes to the sub-processor list. Notification is made through a subscription by email via the Trust Center as well as publication on this page.
(2) Customers who wish to be informed of changes shall provide a contact for this purpose via the Trust Center or via hello@datargo.com . For the running of the periods under Section 3, the notification via the provided contact shall be authoritative; if no contact is provided, the updating of this page shall constitute notification.
(3) Datargo recommends that regulated customers (in particular financial entities within the meaning of Regulation (EU) 2022/2554 (DORA) as well as essential or important entities within the meaning of Directive (EU) 2022/2555 (NIS2) and its national transposition) subscribe to the notification service in order to be able to comply with their own obligations to monitor ICT third-party service providers and their subcontractors. Extended information and audit rights of regulated customers arise from the DORA Addendum and Section 12 of the DPA .
6. Distinction from Other Service Providers (Ancillary Services)
(1) Service providers that Datargo engages for ancillary services without a material connection to the processing of the customer’s personal data (such as telecommunications, maintenance, consulting or cleaning services) shall not be deemed sub-processors within the meaning of this overview. Datargo also takes appropriate measures in this respect to safeguard confidentiality.
(2) Intra-group support services as well as the deployment of Datargo’s own staff do not constitute the engagement of sub-processors and are directly subject to the DPA .
7. Currency and Maintenance of the List
(1) Datargo keeps this overview up to date and adjusts it upon each change that is authorised or deemed authorised. The date of the last update is stated on this page: June 2026.
(2) Business customers may obtain the signature-ready version of the DPA , including the respectively current sub-processor list, via hello@datargo.com or in the Trust Center .
Authoritative language version
This document is provided in German, English and French. The English and French versions are translations provided solely for convenience. The German version is authoritative and solely binding in the event of any dispute or any difference of interpretation or translation.