Sub-processors
Last updated: 3 May 2026 · Version 1.0
Advanta engages the third parties listed below to provide infrastructure, security, observability, and operational services. These sub-processors may process Customer Personal Data only as necessary to deliver the contracted Services and only under written agreements that bind them to confidentiality and security obligations equivalent to those in our DPA.
We notify Customers of new sub-processors at least 30 days before they are engaged, in line with the Data Processing Agreement (DPA). Customers may object to changes during that window. To subscribe to update notifications, email diogo@advanta.pt.
Infrastructure & runtime
| Provider | Service | Data location | Purpose |
|---|
| Amazon Web Services EMEA SARL | AWS — RDS, ECS, S3, KMS, Secrets Manager, ElastiCache, ALB, WAF, CloudWatch | EU (eu-central-1, Frankfurt) | Production runtime, primary data storage, encryption, audit log retention |
| Vercel Inc. | Edge hosting + Edge Functions | EU (Frankfurt + Paris regions) | Marketing site, developer portal, sandbox API endpoints |
| Cloudflare, Inc. | DNS + DDoS mitigation (when enabled) | Global (anycast) | DNS resolution; no Customer Personal Data passes through |
Identity & authentication
| Provider | Service | Data location | Purpose |
|---|
| WorkOS, Inc. | SAML / OIDC SSO federation | EU (Frankfurt) | Enterprise SSO for bank admin users on admin.advanta.pt |
Observability & security
| Provider | Service | Data location | Purpose |
|---|
| Axiom, Inc. | Log management | EU | Application logs (90d hot, 7y cold via S3 Glacier). PII redacted at log emission. |
| Functional Software, Inc. d/b/a Sentry | Error tracking | EU (Frankfurt) | Application errors and stack traces (PII scrubbed) |
| Statuspage, Inc. (Atlassian) | Status page | EU + US | Public uptime and incident history. No Customer data. |
Email & messaging
| Provider | Service | Data location | Purpose |
|---|
| Resend Inc. | Transactional email | EU (Ireland) | Customer notifications, magic-link emails, ESG reports |
Billing
| Provider | Service | Data location | Purpose |
|---|
| Stripe Payments Europe Limited | Payment processing + metered billing | EU + US (with SCCs) | Subscription billing, invoicing, payment methods. PCI-DSS Level 1 certified. |
CRM & support
| Provider | Service | Data location | Purpose |
|---|
| Attio Limited | Customer relationship management | EU | Sales and customer success records (work-context contact data only) |
Optional / feature-gated
| Provider | Service | Data location | Purpose |
|---|
| OpenAI Ireland Limited | LLM API (when enabled per Customer) | EU (when EU residency option is enforced) | Optional ESG narrative generation. Off by default. Customer opt-in only. PII never sent. |
| Anthropic PBC | LLM API (when enabled per Customer) | EU (when EU residency option is enforced) | Optional credit-narrative generation. Off by default. Customer opt-in only. |
What we do NOT use as sub-processors: Google Analytics, Facebook Pixel, Hotjar, FullStory, or any session-replay / behavioural-tracking tool on customer-facing applications. Marketing pages on advanta.pt may use privacy-friendly analytics (Plausible) without cookies.
Cross-border transfers
For sub-processors that may process data outside the EEA (currently: Stripe US fallback for some payment flows), transfers rely on the EU Standard Contractual Clauses (SCCs, 2021/914) and supplementary measures (encryption in transit and at rest, data minimization).
Contact
Data Protection Officer: diogo@advanta.pt
Advanta
Legal · Sub-processors