Sub-processors
Version 1.5 · last updated 4 June 2026
This page lists the third parties to which Altanest SAS (operating GO TRACE at go-trace.com) discloses personal data, the role each plays, where they are located, and the legal mechanism that covers any cross-border transfer. It is the standalone reference list that mirrors §5 of our Privacy Policy; it exists so B2B procurement teams can bookmark it.
1. How this page is maintained
This page is updated when we add, remove, or materially change a sub-processor. The version number and "last updated" date at the top reflect the most recent change; the full change history is at §7. The corresponding section of the Privacy Policy (§5) is updated in lockstep.
We do not commit to a fixed advance-notice window for sub-processor changes. If your contract with us requires one, that contractual term applies and we will honour it; in that case, please write to contact@go-trace.com with your DPA reference.
2. Current sub-processors
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Web hosting and server infrastructure for both go-trace.com and our self-hosted Umami analytics endpoint | Nuremberg, Germany (EU) | Within the EEA: no transfer mechanism required |
| Web3Forms (operated by Statichunt) | Contact-form forwarding. Receives submissions from /contact and /fr/contact, retains them for up to 30 days for delivery and audit, relays to our inbox by SMTP, then auto-deletes. | India | European Commission's 2021 Standard Contractual Clauses (SCCs) |
| Google Ireland Ltd. (Google Workspace) | Email service for @go-trace.com addresses; receives the body of email correspondence with us. | Dublin, Ireland (EU); sub-processors may be in the United States | EU–US Data Privacy Framework certification and/or Standard Contractual Clauses |
| Stripe Payments Europe, Ltd. | Payment processing for our paid products (the Personalised DPP Provider Shortlist, the DPP Readiness Assessment, and the Green Claims Audit). When you pay, you are redirected to Stripe Checkout on a Stripe domain, where Stripe collects your card details, name, billing address, and email and processes the transaction. Stripe returns the user to go-trace.com with a session reference; we never see or store card details. Stripe also receives an order metadata reference (our internal submission ID) to allow us to reconcile payment with the corresponding questionnaire response. | Dublin, Ireland (EU); onward transfers to Stripe Inc. in the United States for processing | Within the EEA primary; for onward US transfers: EU–US Data Privacy Framework certification and the European Commission's 2021 Standard Contractual Clauses. Stripe's Data Processing Addendum is published at stripe.com/legal/dpa and incorporated by reference into our engagement with Stripe. |
| Sendinblue SAS (Brevo) | Transactional email relay for our questionnaires, assessments and audits: customer-facing emails (your DPP Provider Finder results; buyer confirmations for the DPP Readiness Assessment and the Green Claims Audit; and the Green Claims Audit and DPP Readiness Assessment “resume your intake” links), and owner-notification emails sent internally to contact@go-trace.com when a submission is completed, saved for later, or paid. Brevo receives the recipient address, the subject line, and the body of the message (which may include your name, the computed result, and a submission or draft reference). Brevo retains the message for delivery and bounce-management purposes and auto-deletes per its standard retention. | Paris, France (EU) | Within the EEA: no transfer mechanism required. Brevo's DPA is published at brevo.com/legal/termsofuse/dpa and applies to processing on our behalf. |
3. Independent controllers, not our processors
The following parties may receive your data when you choose to interact with them, but they act as independent data controllers (or joint controllers) on their own legal basis. We are not their processor and they are not ours.
| Party | Role | Where engaged |
|---|---|---|
| Teachable Inc. | Course delivery platform; receives your enrolment data and processes payment when you buy a course. | The separate Teachable subdomain reached when you purchase a course. Governed by Teachable's own Privacy Policy. |
| LinkedIn Corporation | Receives your subscription data when you subscribe to "The GO TRACE News Thread" newsletter on LinkedIn. | External LinkedIn newsletter platform. Governed by LinkedIn's own privacy policy. |
4. Self-hosted infrastructure (no third-party processor)
The following processing happens on our own infrastructure and does not involve any third-party processor:
- Self-hosted Umami analytics at
analytics.conclavik.com. Operated by Altanest SAS under the Conclavik brand on the same Hetzner box asgo-trace.com. See §5 of the Privacy Policy for full details. - Web-server access logs on the same Hetzner box. Standard nginx logs, kept at most 30 days.
- First-party submission database: a SQLite database stored on the same Hetzner box at
/var/lib/go-trace/solution-map.db. Holds the Provider Finder, DPP Readiness Assessment and Green Claims Audit submissions (and any saved assessment or audit drafts) — the responses, any computed result, the contact details, the consent flag, and the Stripe session reference (if any). Backed up nightly on the same Hetzner infrastructure. No third party touches this database.
5. Not currently used
For full transparency: MailerLite has a DKIM record on the go-trace.com DNS zone (legacy configuration) but is not currently used for any processing of your data. If we activate it in the future we will update this page and §5 of the Privacy Policy accordingly.
6. Data Processing Agreements
Where required by GDPR Article 28, a written Data Processing Agreement (DPA) is in place with each sub-processor. A copy of any DPA is available to data subjects and B2B clients on request from contact@go-trace.com.
If you are a B2B client and need Altanest SAS to sign your DPA template (for example because we handle some of your supplier data under an Ongoing DPP Advisory engagement, previously offered as “Compliance Partner”), see /dpa.
7. Version history
- v1.5, 2026-06-04: extended the Brevo entry (§2) and the first-party database description (§4) to cover the DPP Readiness Assessment “save & continue later” drafts and resume-link email — the same mechanism shipped for the Green Claims Audit earlier today. No new sub-processor. Mirrors Privacy Policy v1.11.
- v1.4, 2026-06-04: broadened the Stripe and Brevo entries (§2) and the first-party database description (§4) to cover all paid products — the DPP Readiness Assessment and Green Claims Audit, not only the Personalised DPP Provider Shortlist — and the Green Claims Audit “save & continue later” drafts and resume-link email. No new sub-processor was added; Stripe and Brevo already covered this processing. Removed product prices from the descriptions (irrelevant to data protection and prone to going stale). Mirrors Privacy Policy §3–§7 v1.10.
- v1.3, 2026-05-17: promoted Sendinblue SAS (Brevo) from §5 "Not currently used" into the active sub-processor table in §2. Brevo's SMTP relay is now in production use for transactional emails related to the DPP Provider Finder and Personalised DPP Provider Shortlist flow (customer-facing "your DPP Provider Finder" emails and internal owner-notification emails when a submission is completed or paid). Brevo is in France (EU) so no transfer mechanism beyond the standard intra-EEA processing is required; Brevo's DPA applies to processing on our behalf. §5 now lists only MailerLite as the remaining legacy DKIM-only DNS record.
- v1.2, 2026-05-16: removed the self-imposed 30-day prior-notice commitment that had been in §1 since v1.0. This was a discretionary B2B-procurement promise rather than a regulatory requirement; sub-processor changes will still be published here, in §5 of the Privacy Policy, and in this version history, but without a fixed advance-notice window. Where a specific contract with us requires one, that contractual term applies and supersedes this page.
- v1.1, 2026-05-16: added Stripe Payments Europe Ltd. as a sub-processor for the Personalised DPP Provider Shortlist payment flow (€990). Added the first-party SQLite submission database to §4.
- v1.0, 2026-05-03: page first published as a standalone mirror of Privacy Policy §5. Sub-processors covered: Hetzner, Web3Forms, Google Workspace. Independent controllers: Teachable, LinkedIn. Self-hosted: Umami, server logs. Not active: Brevo, MailerLite.