Sub-processors
Aquil — ISO 27001 ISMS Management Service
Last updated: 2026-04-16 Version: 1.1
This page lists the third parties ("Sub-processors") that Sokigo AB engages to process Personal Data on behalf of Customers in connection with the Aquil Service. It is published in accordance with Section 7 of the Aquil DPA.
Subscribe to changes
To receive advance notification of additions or replacements of Sub-processors, subscribe at: https://aquil.se/legal/subprocessors/subscribe
Sokigo will notify subscribers and update this page at least 30 days before any new Sub-processor begins processing Customer Personal Data.
Current Sub-processors
| # | Sub-processor | Legal entity | Service provided | Location of processing | Personal data categories | Transfer mechanism |
|---|---|---|---|---|---|---|
| 1 | Microsoft Azure | Microsoft Ireland Operations Limited | Azure AI Foundry (model inference: gpt-oss-120b); Azure Key Vault (encryption keys held by Sokigo, not Microsoft); related Azure platform services | Sweden (Sweden Central region) | Any personal data submitted by Customer in prompts/inputs to AI features | Adequacy (intra-EEA). Microsoft EU Data Boundary. Microsoft Product Terms + DPA. SCCs apply for any incidental US support access. |
| 2 | Nordlo | Nordlo Sverige AB | Managed IT services for Sokigo's on-premise Nutanix infrastructure (operating system administration, hardware maintenance, monitoring, incident response) | Sweden | All Customer Data at the infrastructure layer (encrypted at rest with CMK held by Sokigo) | Adequacy (intra-EEA). Written DPA flowing down GDPR art. 28 obligations. |
| 3 | Auth0 (Okta) | Auth0 EMEA Limited (Ireland), with Okta, Inc. (US) as ultimate parent | Authentication, identity management, MFA | EU tenant (Germany) | Email address, hashed password, MFA factor metadata, login timestamps, IP address | Adequacy (intra-EEA). Okta certified under EU-US Data Privacy Framework. SCCs in place. TIA conducted (see Trust page). |
| 4 | Resend | Resend Inc. | Transactional email delivery (account verification, notifications, password resets, alerts) | EU sending region | Recipient email address, name (where included), notification content metadata | SCCs (Module 2). EU-US Data Privacy Framework certification (verify at signing). TIA in progress. |
| 5 | Stripe Payments Europe Ltd (Ireland), with Stripe, Inc. (US) as ultimate parent | Subscription billing, invoicing, payment processing (card, SEPA where enabled), tax calculation, fraud prevention (Radar), hosted Checkout and Customer Portal | EU (Ireland) with onward transfer to Stripe, Inc. (US) for platform operations and fraud prevention | Billing contact name and email, billing address, VAT / organisation number, payment method token (card PAN tokenised by Stripe — never stored by Sokigo), transaction metadata, IP address at time of payment | Adequacy (intra-EEA at entry). Stripe SCCs (Modules 2 and 3) in Stripe's Data Processing Agreement. Stripe, Inc. is certified under the EU-US Data Privacy Framework. TIA conducted (see TIA.md §4). |
Planned future Sub-processors
No additional sub-processors are currently planned.
Sokigo group affiliates
Sokigo AB is part of the Addnode Group AB (publ) corporate group. Sokigo may share Customer Personal Data with affiliates within the group on a need-to-know basis for back-office, security, legal, finance and group reporting purposes, under intra-group data transfer arrangements that flow down GDPR obligations. All such affiliates are within the EEA.
Historical changes
| Date | Change |
|---|---|
| 2026-04-07 | Initial publication. |
| 2026-04-16 | Added Stripe Payments Europe Ltd (Ireland) as active sub-processor for subscription billing and payment processing. Customer notification issued under DPA §7. |
Contact: infosec@sokigo.com for questions related to Sub-processors and data protection.