Sub-processors
Identity First Media — Version 2.2, May 4, 2026
Identity First Media processes personal data on behalf of its tenants (data controllers). For specific processing activities we engage sub-processors. This page contains the current overview pursuant to Annex 2 of our Data Processing Agreement (DPA).
Our role: processor (Article 28 GDPR). Tenants are data controllers and instruct us to process via the Platform or through a separate instruction.
Sub-processors in the EU/EEA
These sub-processors operate within the EU/EEA and are fully subject to the GDPR.
| Sub-processor | Location | Function | Data processed | Safeguard |
|---|---|---|---|---|
| Supabase Inc. | Frankfurt, DE | Database, authentication, file storage | All platform data (accounts, profiles, content, contacts) | DPA in place |
| Vercel Inc. | EU edge nodes | Frontend hosting, CDN, web analytics | HTTP requests, IP addresses (transient), anonymous analytics | DPA in place |
| Cloudflare Inc. | EU (R2: EU jurisdiction) | Media storage (R2), CDN, video streaming, media processing (Workers) | Audio and video files, thumbnails, transcoded media | DPA in place |
Sub-processors outside the EU/EEA (with safeguards)
Processing outside the EU/EEA is covered by additional safeguards: Standard Contractual Clauses (SCCs) as adopted by the European Commission, a specific Data Processing Agreement (DPA), or the EU-US Data Privacy Framework. AI providers receive only pseudonymized data; directly identifying information is filtered beforehand.
| Sub-processor | Location | Function | Data processed | Safeguard |
|---|---|---|---|---|
| Anthropic PBC | San Francisco, US | AI language model (Claude): content transformation, chatbot, voice agent | Pseudonymized identity profiles, transcripts, conversation history (no direct PII) | SCCs + DPA in place |
| xAI Corp. | US | AI language model (Grok): fallback for content transformation and voice agent | Pseudonymized identity profiles, transcripts (no direct PII) | SCCs + DPA in place |
| OpenAI Inc. | San Francisco, US | Embeddings (text-embedding-3-small) for semantic search in tenant knowledge base | Pseudonymized text chunks (no direct PII) | SCCs + DPA in place |
| Deepgram Inc. | US | Audio transcription (speech-to-text) for podcasts and video | Audio files from podcasts and video (no PII metadata) | SCCs + DPA in place |
| Twilio SendGrid | US | Email delivery (marketing and transactional) | Email addresses, names, email content | SCCs + DPA in place |
| Stripe Inc. | US / EU (Dublin) | Payment processing, invoices, Stripe Connect | Payment data, billing addresses, transaction history | EU-US DPF + DPA in place |
Authorized categories
The data controller grants advance general consent for the use of sub-processors in the following categories, provided they meet the same safeguards as set out in the DPA and the notification procedure under Article 7 is followed for specific names:
- AI media generation and speech/voice providers (e.g. text-to-speech, speech synthesis, voice cloning for podcasts)
- Video and podcast hosting and streaming providers (e.g. adaptive video streaming, podcast distribution)
- Customer communication and support platforms (e.g. chat, ticketing, helpdesk)
- Error monitoring, logging and observability tools (e.g. error tracking, performance monitoring)
- EU-based privacy-friendly analytics providers (e.g. cookieless website analytics)
- Alternative payment processors (e.g. EU-based payment service providers)
Specific names within these categories are announced in accordance with the notification procedure before they are deployed.
Changes and notification
Additions or changes to sub-processors are announced at least 30 days before deployment via this page and via the tenant dashboard. The date at the bottom of this page reflects the version of the overview.
Right to object
Tenants have the right to lodge a reasoned objection to the use of a new sub-processor within 30 days of notification. Objections can be submitted to support@identityfirstmedia.com. The procedure is set out in Article 7 of the DPA.
Contact
Questions about this overview or about a specific sub-processor? Contact us at support@identityfirstmedia.com.