HOSTELELLA Legal documentation

Sub-processors Annex

Version 1.5 Effective 27 June 2026 Annex to the DPA (Art. 28 GDPR)

This annex supplements HOSTELELLA's Data Processing Agreement (DPA) and identifies the sub-processors involved when HOSTELELLA processes personal data on the Customer's behalf. The list applies to providers used when the corresponding functionality is enabled in the Customer's environment. HOSTELELLA does not sell personal data. Providers marked as conditional only act when the relevant integration, channel or environment has been configured or enabled by the Customer.

Sub-processor contracts include obligations of confidentiality, security, assistance, return/deletion, sub-contracting and international transfers consistent with Article 28 GDPR. Where a transfer outside the European Economic Area (EEA) occurs, adequacy decisions, Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where applicable and supplementary measures will apply.

1. Infrastructure, data and communications sub-processors

ProviderStatusPurposeData processedLocation / transfers
Microsoft Ireland Operations Limited / Microsoft Corporation (Microsoft Azure: Azure Functions, API Management, Azure Storage, Key Vault, Application Insights, Azure AI Search and Azure OpenAI Service) Primary Cloud infrastructure, backend execution, API gateway, storage, secrets management, monitoring, search, security and AI features when Azure OpenAI is used. Account data, documents, metadata, technical logs and data needed to operate the Service. Preferably EU/EEA on configured resources; possible international access or support under Microsoft's DPA, SCCs, adequacy decisions and supplementary measures.
Supabase, Inc. Primary Authentication, database, user management, sessions and associated storage when enabled. User identifiers, email, session, roles, application data and technical metadata. Depending on project region and associated services; transfers protected by DPA, SCCs and applicable safeguards.
Resend, Inc. Primary for transactional email if configured Account confirmations, invitations, orders, support, security notices and Service communications. Email, name where applicable, language, transactional content and delivery metadata. United States / provider and sub-processor infrastructure; under DPA, SCCs and applicable safeguards.
Apple Distribution International Ltd. / Apple Inc. (APNs) Conditional for iOS Push notification delivery and iOS mobile app operation. Device tokens, platform, notification preferences and technical metadata. Apple's global infrastructure with applicable safeguards.
Google Ireland Limited / Google LLC (Firebase Cloud Messaging) Conditional for Android / web push Push notification delivery and mobile app operation. Device tokens, platform, notification preferences and technical metadata. Google's global infrastructure with DPA, SCCs, EU-US Data Privacy Framework where applicable and safeguards.
Cloudflare, Inc. (Turnstile) Conditional for anti-abuse / captcha Protection against bots, abuse and automated requests. Minimal technical data, IP, browser/device signals and verification result. Cloudflare's global infrastructure with DPA, SCCs, EU-US Data Privacy Framework where applicable and safeguards.
Google Ireland Limited / Google LLC (Google Analytics) Conditional after analytics consent Aggregated measurement of public website usage when the user accepts analytics cookies. Analytics identifiers, pages visited, interaction events, technical data and approximate device/browser information. Google's global infrastructure with DPA, SCCs, EU-US Data Privacy Framework where applicable and prior consent configuration.

2. Artificial intelligence sub-processors

HOSTELELLA relies on AI providers only when the corresponding functionality is enabled (e.g., document extraction and classification, the assistant, or AI-assisted shift generation and labor-framework resolution). Before sending information to these providers, minimization measures are applied: where possible, data is pseudonymized (e.g., the shift generator operates with initials and operational data, not full names) and data not necessary for the purpose is excluded (e.g., the reason for absences is not transmitted).

ProviderStatusPurposeData processedLocation / transfers
Anthropic, PBC (Claude models via the Anthropic API) Conditional when Claude-based shift/labor or assistant AI features are used AI-assisted generation of shift proposals (decision support, with human review) and resolution of the applicable labor framework/collective agreement via web search. Not used for solely automated decisions. For shift generation: pseudonymized scheduling data (initials, role, department, contract hours and type, availability, shift-band preferences, unavailability date ranges and a minor-age indicator) and operational business parameters. For labor-framework resolution: business location (country/region/city) and sector. Full names, tax identifiers and the reason or type of absences are not transmitted. United States; under Anthropic's DPA / commercial terms, SCCs and supplementary measures. Under its commercial terms, Anthropic does not use data submitted through the commercial API to train its models.
OpenAI, L.L.C. / OpenAI OpCo, LLC Conditional (non-Azure AI) only if expressly configured Extraction, classification, assistance or analysis of documents/messages when OpenAI is used as a non-Azure provider. Content sent to the AI feature, minimal metadata and generated results. United States or other locations depending on the service; requires DPA, applicable SCC/safeguard, minimization and no-training controls unless opt-in / specific contract.

The web search used to resolve the applicable collective agreement or labor framework is performed with business location and sector data, without including employees' personal data. AI use is also subject to the Privacy Policy (AI and automated processing section) and the Terms.

3. Changes to the sub-processor list

HOSTELELLA may update this list to maintain, protect or improve the Service. Material changes (including the addition of a new sub-processor) will be communicated at least thirty (30) days in advance where reasonably possible, except for urgent changes due to security, continuity or provider replacement, which will be communicated as soon as feasible. The Customer may object on substantiated data-protection grounds under the DPA by writing to legal@hostelella.com.