Sub-processor List
Version: 1.0 · Effective: 2026-06-03 · Next review: quarterly or on material change
1. Controller identification
Huifi S.A. (operator of eMate Cloud Platform)
CUIT / Tax ID: 30-71234567-9
Registered office: Argentina
DPO: [email protected]
Sales contact: [email protected]
2. Contractual framework
Each sub-processor listed below operates under:
- An active service agreement containing data-protection clauses
- 2021 Standard Contractual Clauses (SCCs) for EU/EEA → third-country transfers
- UK International Data Transfer Agreement (IDTA) where applicable
- Commitment to comply with GDPR Art 28, LGPD Art 39, AR Ley 25.326
- Audit availability under NDA (on request with signed DPA)
3. Active sub-processors
3.1 Cloud infrastructure
| Provider | Service | Data categories | Regions | Transfer framework |
|---|---|---|---|---|
| Amazon Web Services Inc. aws.amazon.com | Compute (EC2), Storage (S3, EBS), Email (SES), DNS (Route 53), Certs (ACM), IAM, KMS | Identity, configuration, audit log, DMARC reports, billing | us-east-1, sa-east-1 | SCC 2021 signed by AWS |
| Cloudflare Inc. cloudflare.com | CDN, WAF, public DNS, Bot Management, Web Analytics (cookieless) | HTTP logs, IPs, user-agents, aggregated metrics | Global edge | SCC 2021 + UK IDTA |
3.2 Communications
| Provider | Service | Data categories | Regions | Transfer framework |
|---|---|---|---|---|
| Twilio SendGrid Inc. sendgrid.com | Outbound transactional email (verification, password reset, alerts) | Recipient email, subject, transactional email content | US | SCC 2021 |
3.3 Payments
| Provider | Service | Data categories | Regions | Transfer framework |
|---|---|---|---|---|
| Stripe, Inc. stripe.com | Payment processing for paid plans. eMate never sees card data — Stripe redirect. | Email, name, billing address, last 4 digits of card | US, IE (Stripe Payments Europe) | SCC 2021 + PCI-DSS Level 1 |
3.4 Artificial intelligence
| Provider | Service | Data categories | Regions | Transfer framework |
|---|---|---|---|---|
| Anthropic, PBC anthropic.com | Claude API for executive summary generation (AI Summary) | Aggregated DMARC statistics. No direct PII (no emails or names sent) | US | SCC 2021 + Zero Data Retention agreement |
3.5 Threat intelligence (public-IP enrichment)
The sub-processors in this category receive only public IP addresses already observed in DMARC reports issued by third parties. They do not receive customer emails, names, or domains.
| Provider | Service | Regions |
|---|---|---|
| MaxMind, Inc. | GeoIP / ASN lookup (GeoLite2) | US |
| AbuseIPDB | IP reputation / abuse detection | US |
| VirusTotal (Google LLC) | IP analysis / malware detection | US/EU |
| GreyNoise Intelligence | Classification of benign vs malicious scanners | US |
| AT&T AlienVault OTX | Open Threat Exchange (public IoC) | US |
| Have I Been Pwned (HIBP) | Breach detection — accessed via k-anonymity API | AU |
4. Change notification policy
Huifi S.A. will notify customers with a signed DPA of any addition, removal, or material change to this list at least 30 days in advance, via:
- Email to the contact designated in the DPA
- Update of this page (permanent URL)
- Banner in the
platform.emate.clouddashboard
The customer has the right to object within those 30 days. A reasoned objection from an Enterprise customer may trigger the contract-termination flow under the DPA's "Sub-processor Objections" section.
5. Additional information
Additional information about each sub-processor (signed DPA, SOC 2 / ISO 27001 certifications, DPIA) is available for Enterprise customers under NDA, on request to [email protected].
6. Related documents
- Privacy Policy — general framework
- Cookie Policy — detailed inventory
- Vulnerability Disclosure
- COMPLIANCE.md — SOC 2 / NIST CSF / ISO 27001 mapping