Effective date: 13 July 2026
Who we are
This Sub-processor List is published by Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”, “we”, “us”, “our”). SemlyPro is the entity that acts as your processor (and, for personal data governed by India’s DPDP Act 2023, as Data Processor) when we process personal data on your behalf, and it is the entity that engages the sub-processors listed below.
Succession to Semly Pro B.V. SemlyPro intends to incorporate a private limited company (Semly Pro B.V.). Upon incorporation, Semly Pro B.V. will assume the contracts under which this page is incorporated by reference (by operation of the assignment/novation clause in our Terms and Data Processing Agreement), and references to “SemlyPro” will be read as references to Semly Pro B.V. This page will be updated to name the new processor entity at that time, and its incorporation does not require your further consent.
What this page is for
This page lists the sub-processors SemlyPro engages to help provide the SemlyPro service. It fulfils our commitment under our Data Processing Agreement (DPA) to keep customers informed of the sub-processors we use and to notify customers of changes in advance. This page is the authoritative, canonical list of our sub-processors: where our Privacy Policy or other documents summarise the third parties that receive personal data, this page controls, and the DPA’s sub-processor-objection mechanism runs against the sub-processors named here.
For the objection process, and for the substantive processor and Data Processor obligations that apply to us and to our sub-processors, see the DPA at semlypro.com/dpa.
Access by SemlyPro personnel and contractors
Separately from the third-party sub-processors listed below, SemlyPro’s own personnel and authorised contractors may access Customer Materials and Content. They may do so only as necessary to: (a) provide, maintain and secure the Service; (b) troubleshoot, debug and provide support; © investigate abuse, security or Acceptable-Use-Policy issues; and (d) review and improve the Service and its models for SemlyPro’s internal, non-public purposes only. Such access is subject to confidentiality obligations, least-privilege / role-based access controls, and access logging. SemlyPro does not use Customer Materials or Content to train publicly-released AI models, and this position also binds the AI sub-processors listed below (see the AI Providers table). This mirrors the “Support and Access” commitments in our DPA and Privacy Policy.
How transfers are safeguarded
Where personal data is transferred outside the country of origin, SemlyPro relies on the following mechanisms, and requires each sub-processor to do the same for any onward transfer:
- EEA-origin data. For transfers to a third country not covered by an EU adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Modules 2 and/or 3) are the primary safeguard. Where the specific importing entity is certified under the EU-US Data Privacy Framework (Commission adequacy decision of 10 July 2023) for the relevant data type, that adequacy decision may also be relied upon. The Data Privacy Framework was upheld at first instance in Latombe v Commission (General Court, Case T-553/23, 3 September 2025) but is under appeal before the Court of Justice of the EU (Case C-703/25 P, pending). Given that pending appeal, SCCs are retained as the standalone primary mechanism and fallback, so that transfers remain lawful regardless of the appeal’s outcome.
- UK-origin data. EU SCCs alone are not a valid UK transfer tool. For UK personal data exported to a third country, SemlyPro relies on the UK Extension to the EU-US Data Privacy Framework (the “UK-US data bridge”, in force 12 October 2023) where the US importer is certified under that extension, and/or the ICO International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs as the primary and fallback mechanism. (Separately, EEA-to-UK flows to a UK-located sub-processor rely on the EU’s adequacy decision for the UK, renewed on 19 December 2025 and valid until 27 December 2031; that adequacy decision is an inbound EU-to-UK basis only, not a mechanism SemlyPro uses to export data.)
- India-origin data. For personal data governed by India’s Digital Personal Data Protection Act 2023, cross-border transfer is permitted to any country except those the Central Government restricts by notification under section 16 (a “negative list”; no countries have been notified as restricted as of mid-2026). SemlyPro will monitor and comply with any restricted-country notification and any sector-specific localisation direction. All sub-processors are engaged under written contract, and SemlyPro remains accountable for them as Data Fiduciary/Data Processor under DPDP section 8. See our India Privacy & Grievance Addendum and the DPA for the substantive DPDP processor obligations.
Current sub-processors
All sub-processors listed below were engaged as at the initial publication date shown under “Last updated”. Sub-processors added or replaced after that date are dated individually and recorded in the Change log at the foot of this page.
Infrastructure and hosting
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| Vercel Inc. (USA) | Application hosting and edge delivery; processes all account and Customer Materials transiting the application | EU regions (Amsterdam, Frankfurt) for EU customers; onward to USA (parent) possible | EU SCCs (primary); EU-US DPF where Vercel is certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Amazon Web Services EMEA SARL (Luxembourg) | Cloud infrastructure (backup, storage) | EU regions | Intra-EEA at this hop; EU SCCs govern any onward transfer by AWS | 13 July 2026 |
| Cloudflare, Inc. (USA) | DNS, DDoS protection, edge caching, security | Global (edge) | EU SCCs (primary); EU-US DPF where Cloudflare is certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Supabase, Inc. (USA) | Primary production datastore where Customer Materials, account data, connected-account credentials and OAuth tokens are stored | EU region; onward to USA (parent) possible | EU SCCs (primary); UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Sanity AS (Norway) | Structured content storage for the Service | EEA (Norway) | Intra-EEA (Norway is within the EEA); EU SCCs govern any onward transfer | 13 July 2026 |
AI providers
SemlyPro’s Service is built by composing third-party general-purpose AI models. Customer Materials and inference inputs transmitted to the providers below are sent under commercial/enterprise API terms that prohibit the use of inputs or outputs to train the providers’ publicly-released models and apply zero or limited retention. If any provider tier we use does not offer these terms, we will disclose that here rather than make an unqualified no-training claim.
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| OpenAI Ireland Limited (Ireland) | AI content generation and analysis; processes prompts and Customer Materials submitted for generation | EU/Ireland where offered; onward to OpenAI, L.L.C. (USA) | Intra-EEA to OpenAI Ireland; onward US transfer under EU SCCs (OpenAI’s stated mechanism); UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Anthropic Ireland, Limited (Dublin, CRO 760497) — onward processing by Anthropic PBC (USA) | AI content generation and analysis; processes prompts and Customer Materials submitted for generation | EU/Ireland contracting entity; model inference by Anthropic PBC in the USA | Intra-EEA to Anthropic Ireland; onward US transfer under EU SCCs (primary) and EU-US DPF where Anthropic PBC is certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Perplexity AI, Inc. (USA) | AI-visibility / brand-tracking measurement; customer brand terms and tracking prompts are sent to retrieve AI-citation visibility data | USA | EU SCCs (primary); UK-US data bridge / IDTA for UK data | 13 July 2026 |
Our brand-tracking feature sends the tracking prompts and brand terms you configure to third-party AI engines — including OpenAI’s ChatGPT, Perplexity and Google — to retrieve AI-visibility data. OpenAI Ireland Limited and the relevant Google entity are listed elsewhere on this page (see the AI Providers table above and “Customer-directed integrations” below); Perplexity is listed in the table above. Because these visibility queries are sent to retrieve public AI-citation data, they may be processed under those engines’ standard API terms rather than the enterprise no-training terms described above; accordingly, do not include confidential information in tracking prompts.
SEO and search data
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| DataForSEO or SerpApi | Keyword research, rank tracking and domain-audit data; may transmit customer keywords and competitor URLs | EU or US | EU SCCs (primary); UK-US data bridge / IDTA for UK data | 13 July 2026 |
Payment and financial
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| Stripe Payments Europe, Limited (Ireland) | Payment processing, subscription billing; processes billing and limited account/contact data | EU/Ireland; onward to Stripe, Inc. (USA) as part of the Stripe network | Intra-EEA to Stripe Payments Europe; onward US transfer under EU SCCs (primary) and EU-US DPF where Stripe, Inc. is certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
Communication and support
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| Resend (USA) | Transactional email delivery (billing, security and service messages); processes recipient email address and message content | US; EU region where offered | EU SCCs (primary); EU-US DPF where certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| Intercom or Crisp | Customer support chat and ticketing; processes support correspondence and limited account data | EU or US | Intra-EEA (Crisp, France) or EU SCCs; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| HubSpot Ireland Limited or Customer.io | Marketing email and CRM (consent-based / soft opt-in only); processes contact details and marketing-engagement data | EU or US | Intra-EEA (HubSpot Ireland) or EU SCCs; UK-US data bridge / IDTA for UK data | 13 July 2026 |
Analytics and observability
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| Functional Software, Inc. (dba Sentry) (USA) | Error and performance monitoring; processes diagnostic, usage and device data | EU or US (Sentry EU residency where enabled) | EU SCCs (primary); EU-US DPF where certified; UK-US data bridge / IDTA for UK data | 13 July 2026 |
| PostHog or Plausible | Product analytics (SemlyPro’s own telemetry, distinct from any customer-connected GA4); processes aggregated behavioural/usage data | EU where offered | Intra-EEA (Plausible, EU) or EU SCCs; UK-US data bridge / IDTA for UK data | 13 July 2026 |
Compliance and security
| Provider (contracting entity) | Purpose and data categories | Location of processing | Transfer safeguard(s) | Date added |
|---|---|---|---|---|
| Onfido or Sumsub | Sanctions and KYC/identity screening (higher tiers only); processes identity, sanctions-screening and beneficial-ownership data | EU or UK | For a UK-located vendor: EEA-to-UK transfers rely on the EU adequacy decision for the UK (valid to 27 December 2031); UK-to-vendor and any onward-US processing require their own basis (UK-US data bridge / IDTA / EU SCCs). | 13 July 2026 |
Customer-directed integrations and data sources
The following are customer-connected data sources and destinations. Where you authorise them, the connected platform generally acts under your own agreement with that platform, and you (not SemlyPro) are the controller/Data Fiduciary for the data at source. We nonetheless describe them here so the data map is complete:
- Google Ads, Google Analytics 4 (GA4) and Google Search Console — connected by you via OAuth. When you authorise these, SemlyPro ingests campaign, spend, performance and conversion data (Google Ads), traffic, audience and event data (GA4), and query, impression, click and index data (Search Console). Where SemlyPro stores or derives data from these sources within the Service, that data is held in our datastore (see the Infrastructure table) and processed by our sub-processors. Where any Google service (e.g. Google Cloud / Gemini) processes such data on SemlyPro’s behalf, the relevant Google entity (Google Ireland Limited, and/or Google LLC for onward US processing) acts as a sub-processor and is added to the tables above. SemlyPro’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements; see our Google API Services / Limited Use Compliance Statement and Privacy Policy.
- Customer-uploaded Excel / CSV / spreadsheet files — arbitrary tabular data you import. These may contain personal data (for which you are the controller/Data Fiduciary). Uploaded files are stored and processed by the same infrastructure sub-processors that hold your other Customer Materials.
- CMS publishing destinations (e.g. WordPress, Webflow, Shopify, Ghost, Sanity) — where you connect a CMS to publish generated content, that CMS is a customer-directed destination governed by your own agreement with the platform; SemlyPro transmits content and holds the publishing credentials/OAuth tokens you provide, in the datastore identified above.
How we choose sub-processors
Before engaging a new sub-processor we:
- assess its data-protection posture, including its GDPR / UK GDPR compliance, its stated retention practices, and its treatment of your data for AI training;
- verify its cross-border transfer safeguards (EU SCCs / EU-US DPF; UK Extension to the DPF / IDTA / UK Addendum; and, for Indian data, that the destination is not restricted under DPDP section 16);
- put in place a written data-processing agreement no less protective than our own DPA with you, consistent with GDPR Article 28, UK GDPR Article 28, and DPDP section 8.
How and when we notify you of changes
We maintain this page as the authoritative record of our sub-processors. When we add or replace a sub-processor:
- we update this page and the Change log below with the new entry and its date, so that any customer can see what changed and when; and
- we give at least thirty (30) days’ advance notice of the change and provide the right to object under the DPA. We will notify affected customers in the manner set out in the DPA (which may include email to the address on your account and/or a prominent notice on this page); do not rely on a separate email subscription as the sole route to notice.
To receive change notices by email in addition to the on-page record, you may subscribe by emailing anil@semlypro.com. Subscribing is optional and does not affect your right under the DPA to be notified of, and to object to, sub-processor changes.
A shorter notice period may apply only where a change must be made urgently for security or legal-compliance reasons; even then, we will notify you as soon as practicable and your right to object is preserved. This carve-out is narrow and does not displace the objection window for ordinary changes.
For the objection process and its consequences, see the DPA at semlypro.com/dpa.
India (DPDP Act 2023)
For customers and Data Principals in India: SemlyPro engages the sub-processors listed above under written contract and remains accountable for their processing as Data Fiduciary/Data Processor under the Digital Personal Data Protection Act 2023 (notified with the DPDP Rules 2025 on 13 November 2025; cross-border and operational obligations phasing in by ~13 May 2027). Cross-border transfers of Indian personal data are permitted subject to any restriction the Central Government notifies under section 16 (none notified as of mid-2026), and we will comply with any such notification and any sector-specific localisation direction. For DPDP rights, grievance redressal and our Grievance Officer, see our India Privacy & Grievance Addendum and contact anil@semlypro.com.
Change log
| Date | Change |
|---|---|
| 13 July 2026 | Initial publication of the Sub-processor List. |
Contact
Questions about our sub-processors: anil@semlypro.com. For India-specific data-protection queries and grievances: anil@semlypro.com (see our India Privacy & Grievance Addendum).
Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com