Subprocessors and Other Recipients

Also available in:Bulgarian

Last updated: 10 June 2026

Forci Web Consulting Ltd. uses carefully selected third-party service providers to assist in delivering our services and operating our website. This page lists both subprocessors and other third-party recipients; where a provider acts as an independent controller or controller-to-controller recipient, that relationship is identified below. We carry out due diligence to ensure each provider meets our security requirements and applicable data protection laws. Most subprocessors are engaged under a dedicated Data Processing Agreement (DPA); where one is not available, we rely on equivalent contractual safeguards (e.g., infrastructure-level DPAs) and robust technical and organisational measures, or — for consumer-tier AI tools — under a documented risk assessment with strict data minimisation: no bulk, sensitive, or client-system personal data, only incidental business-contact data that may appear in code or documents.

Current Subprocessors and Other Recipients by Category

Infrastructure & Hosting

  • Cloudflare, Inc. (United States/Global)
    • Purpose: CDN, DDoS protection, DNS, and web application firewall
    • Location: Global network (300+ cities), processing in US and EU data centers
    • Transfer mechanism: EU-U.S. Data Privacy Framework + EU Standard Contractual Clauses
    • Note: DPA incorporated by reference in Self-Serve Subscription Agreement
    • Certifications: ISO 27001, ISO 27701, ISO 27018, SOC 2 Type II, EU Cloud Code of Conduct
    • Privacy Policy | Trust Hub
  • Hetzner Online GmbH (Germany/Finland)
    • Purpose: Primary infrastructure provider for EU production workloads
    • Location: EU data centers only - no international transfers
    • Privacy Policy
  • Wasabi Technologies LLC (EU Region)
    • Purpose: Object storage for backups and archives
    • Location: EU region selected
    • Transfer mechanism: EU & UK Standard Contractual Clauses
    • Privacy Policy

Development & AI Services

  • Anthropic PBC (United States)
    • Purpose: AI language model infrastructure (Claude API)
    • Transfer mechanism: EU Standard Contractual Clauses; signed DPA in place
    • Note: This is the tier used for any processing of client personal data beyond incidental business-contact data.
    • Trust Center
  • OpenAI Ireland Ltd. (Ireland/United States)
    • Purpose: GPT-4 API and ChatGPT Enterprise features
    • Location: EU/Ireland and US processing
    • Transfer mechanism: Intra-group EU Standard Contractual Clauses
    • Privacy Policy
  • Cursor Inc. (United States)
    • Purpose: AI-powered code editor with integrated development features
    • Transfer mechanism: EU Standard Contractual Clauses (Module 2) + UK Addendum
    • Note: Privacy Mode with Storage enabled (zero data retention by model providers, temporary encrypted storage for background agents functionality only, no training on data), SOC2 certified, formal DPA available
    • Trust Center | Subprocessors | Privacy | DPA
  • Anthropic, PBC / Anthropic Ireland, Limited (United States/Ireland)
    • Purpose: AI-powered development and code assistance
    • Location: US processing; EU legal entity (Anthropic Ireland, Limited) for EEA users
    • Transfer mechanism: Consumer Terms reference Anthropic Ireland as contracting entity for EEA
    • Note: No formal DPA on consumer plans. Model training disabled in account settings and retention minimised; limited provider-side processing may apply as described in Anthropic's consumer privacy policy. No bulk, sensitive, or client-system personal data is processed here; only incidental business-contact data that may appear in code or documents, under a documented risk assessment.
    • Consumer Terms | Trust Center
  • Dynalist Inc. (Obsidian Sync) (Canada)
    • Purpose: Secure synchronization of knowledge management vaults
    • Location: EU servers (user-selected) - no international transfers
    • Infrastructure: Hosted on Digital Ocean (Frankfurt) - Digital Ocean DPA
    • Note: End-to-end encryption with user-controlled password
    • Security Documentation | Privacy

Productivity & Collaboration

  • Slack Technologies (United States/Ireland)
    • Purpose: Internal team communication and collaboration platform
    • Location: US and EU (Ireland) processing
    • Transfer mechanism: EU-U.S. Data Privacy Framework + EU Standard Contractual Clauses
    • Note: Part of Salesforce Group, formal DPA available
    • Privacy Policy | Security
  • JetBrains s.r.o. (Czech Republic/EU)
    • Purpose: YouTrack issue tracking and project management
    • Location: EU hosting only - no data transfers outside EU/EEA
    • Transfer mechanism: Not applicable (EU-based processing)
    • Privacy Policy
  • Google Ireland Ltd. (Global)
    • Purpose: Google Workspace and Cloud Platform services
    • Location: Global data center network including EU
    • Transfer mechanism: EU/UK Standard Contractual Clauses
    • Privacy Policy

Security & Monitoring

  • Functional Software Inc. (Sentry) (United States)
    • Purpose: Error tracking and performance monitoring
    • Transfer mechanism: EU-U.S. Data Privacy Framework & EU SCCs
    • Privacy Policy

Analytics & Website Optimization

  • Google Ireland Ltd. (Ireland/Global)
    • Purpose: Website analytics (Google Analytics 4)
    • Location: Global data center network including EU
    • Relationship: Controller-to-Controller (independent controllers)
    • Transfer mechanism: EU/UK Standard Contractual Clauses
    • Note: Consent Mode v2 implemented — cookieless mode when analytics consent is denied
    • Privacy Policy
  • Mouseflow ApS (Denmark/EU)
    • Purpose: Session replay, heatmaps, and user experience analytics
    • Location: EU data centers (Google Cloud Belgium, Leaseweb Netherlands)
    • Transfer mechanism: Not applicable — EU-based processing. EU-U.S. DPF + SCCs for US sub-processors
    • Certifications: ISO 27001, SOC 1 Type II, SOC 2, PCI DSS
    • Note: DPA incorporated in Terms of Use
    • Privacy Policy | DPA
  • Dealfront Group GmbH (Leadfeeder) (Germany/EU)
    • Purpose: Anonymous company identification from website visitors
    • Location: EU — data exclusively stored and processed on servers within the EU
    • Transfer mechanism: Not applicable — EU-based processing. EU SCCs for rare non-EU transfers
    • Certifications: ISO 27001, ISO 27701
    • Note: DPA auto-concluded when tracking script installed. Hosted on AWS Ireland.
    • Privacy Policy | DPA (PDF)

Marketing & Advertising

  • HubSpot Ireland Ltd. (Ireland/United States)
    • Purpose: Marketing automation, CRM, contact tracking
    • Location: EU and US data centers
    • Transfer mechanism: EU-U.S. Data Privacy Framework + EU SCCs
    • Note: DPA incorporated in Customer Terms of Service
    • Privacy Policy | DPA
  • ConvertKit LLC (dba Kit) (United States)
    • Purpose: Email newsletter delivery and marketing automation
    • Location: United States
    • Transfer mechanism: EU Standard Contractual Clauses + UK IDTA (included in Kit's Data Processing Addendum)
    • Note: Standard DPA available at kit.com/dpa
    • Privacy Policy | DPA
  • Meta Platforms Ireland Ltd. (Ireland/United States)
    • Purpose: Conversion tracking and ad measurement (Meta Pixel)
    • Location: EU (Ireland) and US
    • Relationship: Controller-to-Controller for standard Pixel events
    • Transfer mechanism: EU-U.S. Data Privacy Framework + EU SCCs
    • Note: Data processing terms accepted via Business Tools Terms
    • Privacy Policy | Business Tools Terms
  • LinkedIn Ireland Unlimited Company (Ireland/United States)
    • Purpose: Conversion tracking and demographic insights (LinkedIn Insight Tag)
    • Location: EU (Ireland) and US
    • Relationship: Controller-to-Processor (advertiser is controller, LinkedIn is processor)
    • Transfer mechanism: EU SCCs Module 2 (Controller-to-Processor)
    • Note: DPA incorporated in LinkedIn Ads Agreement; data retained 180 days
    • Privacy Policy | DPA
  • RB2B / Retention.com (United States)
    • Purpose: Person-level visitor identification and associated contact data (US visitors only)
    • Location: United States
    • Transfer mechanism: Not applicable — US-only processing (EU visitors excluded via geo-fencing)
    • Note: RB2B does not offer GDPR-compliant processing for EU visitors. Geo-fenced to US traffic only.
    • Privacy Policy | GDPR Opt-Out

Technical Subprocessors

  • Development partners
    • Purpose: Software development and technical services
    • Location: Bulgaria, EU
    • Partners: Developnica EOOD
    • All development partners sign NDAs and DPAs

AI Development Tools Policy

We use AI-assisted tools in our service delivery, configured with appropriate safeguards:

  • No model training - We do not allow the AI tools we use to train on client data: tools that process client personal data are engaged under signed data processing agreements that contractually exclude training, and on consumer-tier tooling training is disabled in account settings. Consumer-tier tooling additionally sees no bulk, sensitive, or client-system personal data — at most incidental business-contact details appearing in code or documents, under a documented risk assessment with strict data minimisation. As with any AI vendor, providers may process narrow categories of content (such as safety-flagged material) under their own published policies; our data-minimisation rules are designed precisely so that client data does not fall into those categories.
  • Minimised retention - We configure these tools for the least data retention available. Where a tool offers contractual zero-retention, we use that option for any processing involving personal data, under the applicable signed data processing agreement.
  • Data minimisation - We minimise and, where practicable, de-identify the information provided to AI tools.
  • Confidentiality preserved - Use of AI tools does not relieve us of our confidentiality and data-protection obligations to you.

Our Commitments

  • Subprocessors are engaged under a written Data Processing Agreement (DPA) or equivalent contractual safeguards designed to support GDPR-compliant processing; the sole exception is consumer-tier AI tooling, used only under a documented risk assessment with strict data minimisation — no bulk, sensitive, or client-system personal data, only incidental business-contact data that may appear in code or documents
  • We conduct regular security assessments of our subprocessors
  • We maintain appropriate safeguards for any international data transfers
  • Subprocessors cannot use personal data for their own purposes
  • We perform due diligence before engaging new subprocessors

Changes to Subprocessors

We may update our subprocessors to improve our services. Changes are posted on this page, and posting constitutes notice; clients with active Data Processing Agreements have at least 14 days to object on data-protection grounds before a new subprocessor is engaged, as set out in our Data Processing Terms. We recommend reviewing this page periodically.

Questions?

For specific inquiries about our data processing practices or subprocessors, please contact:

Email: [email protected]
Phone: +359 887 189 697
Address: Bulgaria, Sofia 1517, zh.k. Suhata reka, bl. 52, vh. G, et. 6, ap. 18

Subprocessors | Forci