Automated Commerce

Sub-processors

Last Updated: 8 May 2026

This page lists the third-party sub-processors that Automated Commerce B.V. uses to deliver the Service. Sub-processors act on our instructions and are bound by data-protection obligations consistent with the GDPR and our Privacy Policy.

We notify Customers of new sub-processors (or replacements) at least 30 days in advance through this page and through in-Service notice or email. If you have signed our Data Processing Agreement, you have the right to object to a new sub-processor on data-protection grounds, as set out in the DPA.

Where a sub-processor is established outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organisational safeguards. Transfer Impact Assessments are available on request.

1. Infrastructure and hosting

Sub-processorPurposeRegionData categories
Cloudflare, Inc. (US, EU subsidiary)Workers (compute), R2 object storage, Queues, Hyperdrive, KVGlobally distributed edge; EU edges availableCustomer Content in transit and at rest; service-usage logs
Neon Inc. (managed PostgreSQL on AWS)Primary application databaseAWS eu-central-1 (Frankfurt, Germany)Account data, billing records, Customer Content, audit logs
ClickHouse, Inc. (ClickHouse Cloud on AWS)Analytics warehouse for order, channel, and campaign metricsAWS eu-central-1 (Frankfurt, Germany)Aggregated order metrics, channel performance data
Vercel Inc.Frontend hosting (Next.js apps), edge functionsGlobal edge network with EU regionsService usage logs, request data

2. AI providers

Some AI providers may, under their default terms, retain or use the data we send them — including Customer Content — for the improvement and training of their own models. Where a provider offers a no-training option we use it where commercially reasonable. See Section 5 of our Privacy Policy for detail.

Sub-processorPurposeRegionData categories
FAL AIImage-related AI generation (e.g. studio shots, edits)Outside EEA — SCCs in placeImage URLs and prompts derived from Customer Content
OpenRouter, Inc.Text-generation routing across underlying language modelsOutside EEA — SCCs in placeProduct titles, descriptions, prompt context
PhotoRoomStudio-shot image generation and background removalOutside EEA — SCCs in placeImage URLs derived from Customer Content
Tripo AI3D model generationOutside EEA — SCCs in placeImage URLs and prompts derived from Customer Content

3. Operational and other providers

Sub-processorPurposeRegionData categories
Mollie B.V.Subscription payment processingNetherlands (EEA)Billing data, payment metadata (no full card numbers)
Moneybird B.V.Accounting and invoicingNetherlands (EEA)Account and contact data, invoice records
Trigger.devBackground-job orchestrationEEA-aligned cloud regionsCustomer Content during job execution; job metadata
Resend Inc.Transactional and notification email deliveryOutside EEA — SCCs in placeEmail addresses, message content for service emails
Twenty (Twenty CRM)Customer relationship management — sales pipeline, lead and account tracking, customer-success operationsSelf-hosted on EEA infrastructureAccount contact data, sales prospect data, customer-success interaction notes
Apify Technologies s.r.o.Public-web data extraction in import flowsEEAPublic-web URLs supplied by Customer; extracted public data
Sanity.ioContent management for the marketing siteEEA / US — SCCs where applicableMarketing-site content (no Customer Content)
Umami Software, Inc. (self-hosted)Privacy-friendly page-view analytics for the platformSelf-hosted on Cloudflare; EEA edgeAggregated page-view data; no individual identifiers
Vercel Web AnalyticsCookieless marketing-site analyticsGlobal edge network with EU regionsAggregated request data; no cookies, no cross-site identifiers

4. Service connectors (controllers, not sub-processors)

When a Customer connects a third-party platform to the Service (Shopify, Google Ads, Meta, Pinterest, marketplaces, and similar), those platforms remain independent controllers in respect of any data they collect on their own account. They are not our sub-processors. Customer's use of those platforms is governed by the respective platforms' terms.

5. Contact

Questions about this list, or requests for our DPA, Transfer Impact Assessments, or further information can be sent to business@automatedcommerce.ai.

Stay Ahead: Newsletter

Get the latest insights from the AI-industry and updates on new platform features