Unterauftragsverarbeiter
In accordance with our Privacy Policy and Terms and Conditions, we use sub-processors to provide our services. This page lists the main sub-processors who potentially have access to our customers' personal data or operate systems on which such data could be processed or stored as part of service provision. We carefully select our sub-processors and ensure that they comply with appropriate privacy and security standards.
Sub-processor:
Google Cloud EMEA Limited (trading as Google Cloud Platform)
- Purpose of processing/service:
- Hosting our backend infrastructure for ClinICOS
- Provision and operation of databases
- General data center operations and cloud infrastructure
- Location of data processing:
- Primary: Germany (Frankfurt data center region (
europe-west3) and Berlin (europe-west10)) - Important: All core application data and patient data from ClinICOS remain exclusively in Germany.
- Primary: Germany (Frankfurt data center region (
- Transfer mechanisms (if relevant to other Google services):
- For the above-mentioned core services, there is no transfer of core application data outside Germany. Google Cloud offers comprehensive guarantees of compliance with the GDPR.
- More information:
2. Vercel Inc.
- Purpose of processing/service:
- Hosting and delivery of our web front end (ClinICOS user interface)
- Delivery of static content (e.g. images, scripts) via a global content delivery network (CDN) to optimize load times and performance.
- Location of data processing:
- Global (CDN): Vercel uses a global network of servers (primarily based on AWS infrastructure) to deliver web content quickly and efficiently.
- As part of CDN use, personal data, in particular the IP addresses of users who access the clinicos front end, is processed worldwide in order to deliver the content from the nearest server.
- Transfer mechanisms and guarantees for data transfers outside the EU/EEA:
- Data transfers to countries outside the EU/EEA (in particular to the USA) are secured by the following appropriate guarantees in accordance with Article 46 GDPR:
- Vercel is certified under the EU-U.S. Data Privacy Framework (DPF).
- EU standard contractual clauses (SCCs) apply.
- Data transfers to countries outside the EU/EEA (in particular to the USA) are secured by the following appropriate guarantees in accordance with Article 46 GDPR:
- More information:
3. Cloudflare, Inc.
- Purpose of processing/service:
- DNS services: Resolution of our domain names (e.g. app.clinicos.de) to the corresponding IP addresses of the servers.
- Reverse proxy services (CDN & security): Optimize load times, protect against DDoS attacks and other online threats through Cloudflare's global network. Requests to our servers are routed via Cloudflare.
- Location of data processing:
- Global (edge network): Cloudflare operates a worldwide network of data centers (edge locations).
- As part of DNS resolution and proxy services, personal data, in particular the IP addresses of users who access ClinICOS, is processed worldwide in order to route requests via the nearest and most secure server.
- Transfer mechanisms and guarantees for data transfers outside the EU/EEA:
- Data transfers to countries outside the EU/EEA (in particular to the USA) are secured by the following appropriate guarantees in accordance with Article 46 GDPR:
- Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF).
- EU standard contractual clauses (SCCs) apply.
- Cloudflare also offers binding internal data protection rules (BCRs), which have been approved by European data protection authorities.
- Data transfers to countries outside the EU/EEA (in particular to the USA) are secured by the following appropriate guarantees in accordance with Article 46 GDPR:
- More information:
Explanation of data processing locations:
- Core application data: All of your primary application and customer data, which you actively store and process in our web application (backend data), is stored exclusively on the infrastructure of Google Cloud Platform in Germany hosted.
- Front-end delivery & technical data:
To provide the user interface of our web application (code, design, images) quickly and reliably, we use Vercel's global content delivery network (CDN). When you visit our website, technical data such as your IP address is processed by Vercel servers, which may be geographically close to your location. This is used to optimize load times and security (e.g. DDoS protection). Since Vercel operates a global network, this technical data can also be processed outside the EU/EEA. Vercel takes appropriate measures (EU-U.S. DPF certification and standard contractual clauses) to ensure that the requirements of the GDPR are met.
Changes to this list:
We review this list regularly and update it as needed. We will announce significant changes to our sub-processors or the processing locations of your core application data to our customers (generally at least thirty (30) days) in advance via appropriate channels (e.g. via email or notice in the application).