Sub-processors
Last updated: May 2026
The list below identifies the sub-processors that Picspace (operated by Matthias Grieder, sole trader) engages to process Customer Personal Data in providing the Services. It is incorporated by reference into our Data Processing Agreement (Annex 1).
We notify customers of any intended addition or replacement of a sub-processor with at least 30 days' notice, during which a customer may object on reasonable data-protection grounds. To receive notifications, email privacy@picspace.io with the subject "Subscribe — sub-processor notices".
Active sub-processors
| Sub-processor | Purpose | Location of processing | Transfer safeguard |
|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Application hosting, managed databases (RDS), object storage (S3), search (Elasticsearch / OpenSearch), email delivery (SES) | EU (eu-central-1, Frankfurt) primarily; limited control-plane operations may touch other regions | EU processing; SCCs + AWS DPA for any extra-EEA fallback |
| Clerk Technologies, Inc. | User authentication and account management (sign-up, sign-in, session management, webhooks for user lifecycle events) | United States | SCCs + Clerk DPA |
| Polar Software Inc. (Polar.sh) | Subscription billing, payment processing, invoices, customer portal | United States | SCCs + Polar DPA; Polar uses sub-processors including Stripe for card processing |
| Resend, Inc. | Transactional email delivery (account, sharing, system notifications) | United States, with EU sending region available | SCCs + Resend DPA |
| OpenAI, L.L.C. / OpenAI Ireland Ltd | AI metadata generation (auto-tags, titles, descriptions) using Picspace's platform credits. See "BYOK" note below for the alternative configuration. | United States (with EU residency option for eligible accounts) | SCCs + OpenAI DPA; zero-retention requested where eligible. Inputs/outputs retained ≤30 days for abuse monitoring; not used for model training. |
Important note on Bring Your Own Key (BYOK)
When a customer enables BYOK by storing a personal OpenAI API key in account settings, AI calls are made on the customer's own OpenAI account. In that configuration:
- OpenAI is not a sub-processor of Picspace. OpenAI processes the customer's data under the customer's direct contractual relationship with OpenAI.
- The customer is the controller of the AI inference. Picspace acts as a technical conduit on the customer's documented instruction (saving the key + uploading a photo).
- Picspace's encrypted-at-rest storage of the API key itself remains a Picspace processing activity, governed by our DPA.
See the Data Processing Agreement §2.3 for the full allocation of roles in the BYOK configuration.
Infrastructure providers (not sub-processors of Personal Data on customers' behalf)
The following providers support Picspace's operations but do not process Customer Personal Data on behalf of customers in the Art. 28 sense:
- GitHub, Inc. — source code hosting and CI
- Sentry / similar APM — error and performance monitoring (configured with PII scrubbing)
- Slack Technologies, LLC — internal team communications
Contact
Questions or objections regarding sub-processors: privacy@picspace.io Picspace (operated by Matthias Grieder, sole trader), Kirchengasse 36/10, 1070 Vienna, Austria.