Cocopipe Subprocessor List
Last Updated: 11/11/2025
This page lists all subprocessors engaged by Cocopipe OÜ (“Cocopipe”, “we”, “our”, or “us”) that may process Customer Data as part of the Cocopipe App and related services.
This document forms part of the Data Processing Addendum (DPA) and is provided in accordance with Article 28 of the GDPR.
1. Overview
Subprocessors are third-party companies that provide infrastructure, hosting, analytics, communication, or payment services that support Cocopipe’s operations.
Cocopipe ensures that all subprocessors:
- Sign a Data Processing Agreement (DPA) with Cocopipe,
- Comply with GDPR and equivalent security standards (e.g., ISO 27001, SOC 2),
- Store and process data within the European Economic Area (EEA) or under approved transfer mechanisms (e.g., Standard Contractual Clauses).
2. Current Subprocessors
|
Category
|
Vendor
|
Location
|
Purpose of Processing
|
Data Stored / Processed
|
|---|---|---|---|---|
|
Infrastructure & Hosting
|
Amazon Web Services (AWS)
|
EU (Ireland, Frankfurt)
|
Cloud hosting, database, backups
|
All service data and files
|
|
Cloudflare, Inc.
|
EU / USA (SCCs)
|
CDN, DDoS protection, caching
|
IP, request metadata
|
|
|
Payment Processing
|
Stripe Payments Europe, Ltd.
|
Ireland
|
Subscription billing and invoicing
|
Billing info, payment tokens
|
|
Email & Notifications
|
Resend
|
USA (SCCs)
|
Transactional and notification emails
|
Email address, message logs
|
|
Email Marketing
|
Brevo
|
EU
|
Marketing and system emails
|
Email address, preferences
|
3. Subprocessor Onboarding & Due Diligence
Before engaging a new subprocessor, Cocopipe:
- Reviews the vendor’s privacy and security practices,
- Ensures contractual GDPR compliance, and
- Performs a risk assessment based on the type of data processed.
All subprocessors are required to:
- Use data only for authorized purposes,
- Maintain confidentiality, and
- Implement industry-standard security controls.
4. Updates to Subprocessors
Cocopipe may update this list periodically as new vendors are engaged or existing ones are replaced.
Customers will be notified via email or in-app notification at least 30 days before any new subprocessor begins processing Customer Data.
To object to a new subprocessor, contact us at [email protected] within that 30-day period.
5. Data Transfers
All subprocessors located outside the European Economic Area (EEA) operate under:
- The EU Standard Contractual Clauses (SCCs), or
- An adequacy decision by the European Commission ensuring lawful cross-border data transfers.
5. Data Transfers
For questions about Cocopipe’s subprocessors or data transfer mechanisms:
📧 [email protected]
📍 Registered address: [To be added – Tallinn, Estonia]