# Sub-processors

**Aquil — ISO 27001 ISMS Management Service**

**Last updated:** 2026-04-16
**Version:** 1.1

This page lists the third parties ("**Sub-processors**") that Sokigo AB engages to process Personal Data on behalf of Customers in connection with the Aquil Service. It is published in accordance with Section 7 of the Aquil DPA.

## Subscribe to changes

To receive advance notification of additions or replacements of Sub-processors, subscribe at: **https://aquil.se/legal/subprocessors/subscribe**

Sokigo will notify subscribers and update this page at least **30 days** before any new Sub-processor begins processing Customer Personal Data.

## Current Sub-processors

| # | Sub-processor | Legal entity | Service provided | Location of processing | Personal data categories | Transfer mechanism |
|---|---|---|---|---|---|---|
| 1 | **Microsoft Azure** | Microsoft Ireland Operations Limited | Azure AI Foundry (model inference: `gpt-oss-120b`); Azure Key Vault (encryption keys held by Sokigo, not Microsoft); related Azure platform services | Sweden (Sweden Central region) | Any personal data submitted by Customer in prompts/inputs to AI features | Adequacy (intra-EEA). Microsoft EU Data Boundary. Microsoft Product Terms + DPA. SCCs apply for any incidental US support access. |
| 2 | **Nordlo** | Nordlo Sverige AB | Managed IT services for Sokigo's on-premise Nutanix infrastructure (operating system administration, hardware maintenance, monitoring, incident response) | Sweden | All Customer Data at the infrastructure layer (encrypted at rest with CMK held by Sokigo) | Adequacy (intra-EEA). Written DPA flowing down GDPR art. 28 obligations. |
| 3 | **Auth0 (Okta)** | Auth0 EMEA Limited (Ireland), with Okta, Inc. (US) as ultimate parent | Authentication, identity management, MFA | EU tenant (Germany) | Email address, hashed password, MFA factor metadata, login timestamps, IP address | Adequacy (intra-EEA). Okta certified under EU-US Data Privacy Framework. SCCs in place. TIA conducted (see Trust page). |
| 4 | **Resend** | Resend Inc. | Transactional email delivery (account verification, notifications, password resets, alerts) | EU sending region | Recipient email address, name (where included), notification content metadata | SCCs (Module 2). EU-US Data Privacy Framework certification (verify at signing). TIA in progress. |
| 5 | **Stripe Payments Europe Ltd** (Ireland), with **Stripe, Inc.** (US) as ultimate parent | Subscription billing, invoicing, payment processing (card, SEPA where enabled), tax calculation, fraud prevention (Radar), hosted Checkout and Customer Portal | EU (Ireland) with onward transfer to Stripe, Inc. (US) for platform operations and fraud prevention | Billing contact name and email, billing address, VAT / organisation number, payment method token (card PAN tokenised by Stripe — never stored by Sokigo), transaction metadata, IP address at time of payment | Adequacy (intra-EEA at entry). Stripe SCCs (Modules 2 and 3) in Stripe's Data Processing Agreement. Stripe, Inc. is certified under the EU-US Data Privacy Framework. TIA conducted (see `TIA.md` §4). |

## Planned future Sub-processors

No additional sub-processors are currently planned.

## Sokigo group affiliates

Sokigo AB is part of the Addnode Group AB (publ) corporate group. Sokigo may share Customer Personal Data with affiliates within the group on a need-to-know basis for back-office, security, legal, finance and group reporting purposes, under intra-group data transfer arrangements that flow down GDPR obligations. All such affiliates are within the EEA.

## Historical changes

| Date | Change |
|---|---|
| 2026-04-07 | Initial publication. |
| 2026-04-16 | Added **Stripe Payments Europe Ltd** (Ireland) as active sub-processor for subscription billing and payment processing. Customer notification issued under DPA §7. |

---

**Contact**: infosec@sokigo.com for questions related to Sub-processors and data protection.