This page lists all third-party subprocessors engaged by DMARCFlow (Ucar Solutions UG) to process personal data on behalf of customers. We maintain this list as a public record in accordance with Article 28 GDPR. Customers with general authorisation DPAs will be notified of material changes at least 30 days before a new subprocessor begins processing personal data.
Controller: Ucar Solutions UG (haftungsbeschränkt), Feldstraße 1, 65719 Hofheim am Taunus, Germany info [at] ucar-solutions.de
Website & Marketing
| Subprocessor | Purpose | Data Categories | Location | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|---|
|
Google Analytics Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland dpo-google@google.com |
Web analytics, usage statistics | IP address, device/browser data, behavioural data | EU (Ireland) + US | Yes | EU-US DPF + SCCs (fallback) |
|
Google Ads Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland dpo-google@google.com |
Conversion tracking, advertising | IP address, click IDs, hashed email (SHA-256) | EU (Ireland) + US | Yes | EU-US DPF + SCCs (fallback) |
|
Voiceflow Voiceflow, Inc. 410 Adelaide St W, Suite 610, Toronto, Ontario M5V 1S8, Canada security@voiceflow.com |
AI chatbot / customer engagement | Chat messages, user interactions | Canada | Yes | SCCs + UK Addendum |
Platform & Infrastructure
| Subprocessor | Purpose | Data Categories | Location | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|---|
|
Amazon Web Services (AWS) Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luxembourg aws.amazon.com/compliance/gdpr-center |
Email inbox (Amazon WorkMail) | Email content and metadata (sender, recipient, subject, body) | EU | Possible (limited; customer controls region) | SCCs (auto-incorporated in AWS Service Terms) + EU-US DPF |
|
STRATO GmbH STRATO GmbH Otto-Ostrowski-Straße 7, 10249 Berlin, Germany datenschutz@strato.de |
Web hosting / server infrastructure | All data processed by the application (IP addresses, request logs, stored data) | Germany (Berlin + Karlsruhe) | No | AVV pursuant to Art. 28 GDPR (automatically concluded upon contract) |
|
Sentry Functional Software, Inc. 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA compliance@sentry.io |
Error tracking and application monitoring | IP addresses, user IDs, error context, request data | US (EU Frankfurt region available) | Yes | SCCs (Module 2/3) + EU-US DPF |
Email Delivery
| Subprocessor | Purpose | Data Categories | Location | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|---|
|
Brevo Sendinblue SAS 17 rue de Salneuve, 75017 Paris, France dpo@brevo.com |
Transactional & marketing email delivery | Email address, name, email content | France / Germany (EEA) | Yes (US, India) | SCCs + EU-US DPF |
Payments
| Subprocessor | Purpose | Data Categories | Location | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|---|
|
Mollie Mollie B.V. Keizersgracht 126, 1015 CW Amsterdam, Netherlands dpo@mollie.com |
Payment processing, subscription billing | Name, billing address, payment details, transaction data | Netherlands (EEA) | Yes (via Mollie sub-processors) | SCCs |
Optional Customer Integrations
These subprocessors are only engaged when a customer explicitly enables the integration. The customer acts as controller for the configuration and is responsible for ensuring an adequate legal basis and transfer mechanism applies for their chosen destination.
| Subprocessor | Purpose | Data Categories | Location | Transfer outside EEA? | Safeguard |
|---|---|---|---|---|---|
|
Slack Slack Technologies LLC 500 Howard Street, San Francisco, CA 94105, USA feedback@slack.com |
Optional alert notifications via customer-configured webhook | Domain event data, alert messages, organisation name | US | Yes | SCCs (slack.com/terms-of-service/data-processing) |
|
PagerDuty PagerDuty, Inc. 600 Townsend Street, Suite 200, San Francisco, CA 94103, USA privacy@pagerduty.com |
Optional incident alerting via customer-configured integration | Alert event data, severity, organisation context | US | Yes | SCCs (pagerduty.com/privacy-policy) |
|
Customer-defined webhook endpoints Defined by customer |
Customer-configured event delivery to third-party systems | DMARC event payloads, domain information | Customer-defined | Customer-defined | Customer's responsibility as independent controller |
Notes
- Fonts: Font files are served from our own servers. No requests are made to Google Fonts or any external font CDN at runtime.
- TinyMCE: Used for rich text editing in administration. Processed locally in the browser — no data is transmitted to Tiny servers.
- SheetJS: Used solely for client-side Excel/CSV export. No data is transmitted to any external server.
- OpenStreetMap: Map tile rendering for email geolocation visualisation. IP address and tile request parameters are processed. Processing location: UK / distributed tile CDN (UK adequacy decision applies).
Changes to This List
We review and update this list when subprocessors are added, removed, or change their processing details. Customers subscribed to general authorisation in their DPA will be notified at least 30 days before a new subprocessor begins processing personal data, giving time to object.
Questions about this list: info [at] ucar-solutions.de