Sub-Processors
Authorised sub-processors engaged by R11N Ventures GmbH to provide the EasyWithdraw app, published pursuant to §9 of the Data Processing Agreement.
Last updated
Processor: R11N Ventures GmbH (the "Provider")
Service: EasyWithdraw. Shopify application for handling end-customer withdrawal declarations
Document type: Sub-processor list pursuant to §9.2 and Annex III of the Data Processing Agreement (the "DPA")
Last updated: 4 June 2026
Purpose of This Page
This page is the up-to-date list of sub-processors referenced in §9.2 and Annex III of the DPA. The Provider engages the sub-processors below to process personal data on behalf of the Merchant (the Controller) in connection with the EasyWithdraw app.
Each entry states the legal entity, the service it provides, the categories of personal data that reach it, where the data is processed, the international transfer mechanism relied on, and links to the sub-processor's own data-protection documentation.
Changes to This List
Per §9.3 of the DPA, the Provider gives the Controller at least thirty (30) days prior notice of any addition or replacement of a sub-processor by (a) publication of the updated list on this page and (b) email to the Controller's primary administrative contact registered in the App. The Controller may object on reasonable data-protection grounds within the notice period per §9.4 of the DPA.
1. Cloudflare, Inc.
| Field | Detail |
|---|---|
| Legal entity | Cloudflare, Inc. |
| Registered office | 101 Townsend Street, San Francisco, CA 94107, United States |
| Service provided | Content delivery network (CDN), web application firewall (WAF), DDoS protection, and the edge runtime (Cloudflare Workers) on which the App executes |
| Personal data processed | All data categories listed in Annex II of the DPA, in transit through and processed by the App runtime; session and cache data held in Workers KV |
| Data location | Global anycast edge network; traffic is processed at the edge location nearest the visitor. Persistent application data is not stored at the edge: the App's database resides with Neon in Frankfurt (see entry 2). Workers KV central stores are located in the United States and the EU |
| Transfer mechanism | EU-US Data Privacy Framework certification (including the UK Extension and the Swiss-US DPF), with the EU Standard Contractual Clauses (2021/914) incorporated in Cloudflare's customer DPA as fall-back |
| Safeguards & certifications | ISO/IEC 27001:2022, ISO/IEC 27701, ISO/IEC 27018, SOC 2 Type II, PCI DSS, BSI C5:2020, EU Cloud Code of Conduct; TLS encryption in transit |
| Documentation | Customer DPA · Sub-processor list · Trust Hub |
2. Neon, LLC (a Databricks Company)
| Field | Detail |
|---|---|
| Legal entity | Neon, LLC, an affiliate of Databricks, Inc. |
| Registered office | United States |
| Service provided | Managed serverless PostgreSQL database: the primary data store for Withdrawal Declarations, merchant configuration, and audit logs |
| Personal data processed | All stored data categories listed in Annex II of the DPA: master data, order data, withdrawal content, evidentiary log data, notification metadata |
| Data location | EU region: AWS Europe (Frankfurt), eu-central-1. The database runs in the selected region; the region is fixed at project creation. Backups are encrypted and retained for thirty (30) days |
| Transfer mechanism | EU-US Data Privacy Framework certification of Databricks, Inc. (Neon, LLC is a covered entity; including the UK Extension and the Swiss-US DPF), with the EU Standard Contractual Clauses incorporated in the DPA as fall-back |
| Safeguards & certifications | SOC 2 Type II, ISO/IEC 27001:2022, ISO/IEC 27701:2019; AES-256 encryption at rest, TLS 1.2/1.3 in transit |
| Documentation | DPA · Sub-processor list · Trust Center |
3. Resend (Plus Five Five, Inc.)
| Field | Detail |
|---|---|
| Legal entity | Plus Five Five, Inc., operating as Resend |
| Registered office | 2261 Market Street #5039, San Francisco, CA 94114, United States |
| Service provided | Transactional email delivery: withdrawal confirmations to End-Customers and notification or digest emails to the Merchant |
| Personal data processed | Recipient name and email address, email content (including order references and withdrawal details), delivery status |
| Data location | United States. Emails are dispatched from Resend's EU sending region (Ireland, eu-west-1); account data, email metadata, and delivery logs are stored in the United States |
| Transfer mechanism | EU-US Data Privacy Framework certification (including the UK Extension), with the EU Standard Contractual Clauses (Module Three, processor to sub-processor) incorporated in Resend's DPA as fall-back |
| Safeguards & certifications | SOC 2 Type II; encryption at rest with row-level encryption for sensitive tables, TLS 1.3 in transit; annual third-party penetration testing |
| Documentation | DPA · Sub-processor list · Security overview |
4. Sentry (Functional Software, Inc.)
| Field | Detail |
|---|---|
| Legal entity | Functional Software, Inc. d/b/a Sentry |
| Registered office | 45 Fremont Street, 8th Floor, San Francisco, CA 94105, United States |
| Service provided | Application error tracking and crash reporting for the App |
| Personal data processed | Technical error reports that may incidentally contain personal data (for example request metadata, identifiers, or IP addresses); server-side data scrubbing is enabled to redact sensitive values before storage |
| Data location | EU data residency region (de.sentry.io), hosted on Google Cloud in Frankfurt, Germany, including backups. Limited account and organisation metadata (user accounts, settings, audit logs) is processed in the United States |
| Transfer mechanism | EU-US Data Privacy Framework certification (including the UK Extension and the Swiss-US DPF), with the EU Standard Contractual Clauses (Modules Two and Three) incorporated in Sentry's DPA as fall-back |
| Safeguards & certifications | SOC 2 Type II, ISO/IEC 27001; server-side PII scrubbing enabled by default |
| Documentation | DPA · Sub-processor list · Trust Center |
5. Datadog, Inc.
| Field | Detail |
|---|---|
| Legal entity | Datadog, Inc. |
| Registered office | 620 8th Avenue, 45th Floor, New York, NY 10018, United States |
| Service provided | Application and infrastructure monitoring and log management for the App |
| Personal data processed | Operational logs and application telemetry that may incidentally contain personal data (for example request metadata or identifiers); log content is minimised at source |
| Data location | EU site (EU1, datadoghq.eu), hosted in Germany on Google Cloud. Datadog sites are fully independent; data is not shared across sites |
| Transfer mechanism | EU-US Data Privacy Framework certification (including the UK Extension and the Swiss-US DPF), with the EU Standard Contractual Clauses (Modules Two and Three) incorporated in Datadog's DPA as fall-back |
| Safeguards & certifications | SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, PCI DSS |
| Documentation | DPA · Sub-processor list · Trust Center |
Note on Shopify
Shopify Inc. is not a sub-processor of the Provider. The Merchant's relationship with Shopify is governed by the Merchant's own agreement with Shopify. Data exchanged between the App and Shopify (via Shopify webhooks and the Shopify Admin API) is exchanged on the Merchant's instruction.
Transfer Mechanism Note
Where a sub-processor's EU-US Data Privacy Framework certification ceases to provide a valid transfer mechanism, the Standard Contractual Clauses incorporated in the respective sub-processor agreement apply as a binding fall-back per §10.5 of the DPA. The Provider monitors the certification status of each sub-processor as part of its ongoing sub-processor due diligence.