This page lists the third-party service providers ("Subprocessors") that Gateway.FM AS engages to process personal data on behalf of customers in connection with its services.
What is a Subprocessor?
A subprocessor is a third-party service provider that processes personal data on our behalf under our instructions. We engage subprocessors where necessary to operate and support our services. We assess subprocessors prior to engagement and require them to implement appropriate technical and organisational measures to protect personal data, consistent with applicable data protection laws.
Updates to This List
We will provide at least 30 days' notice of any material changes to our subprocessors that process customer personal data. Notice will be provided by updating this page and, where required, by email notification to the customer's primary contact on file.
Customer Rights
Customer rights relating to subprocessors, including notice and objection rights, are governed by the applicable Data Processing Addendum (DPA).
Customers may object to a new subprocessor on reasonable data protection grounds by contacting legal@gateway.fm within the notice period. If no reasonable alternative is available, the customer may terminate the affected services in accordance with the applicable agreement.
Infrastructure & Hosting
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| AWS EMEA | Cloud infrastructure hosting | Name, work email, authentication/access metadata, service logs | EU / Global | SOC 2, ISO 27001, ISO 27701 |
| Google (G Suite / Workspace / Google Sheets / Google Cloud / Google Ads) | Cloud productivity, storage, analytics | Name, email, profile info, documents, calendar events, IP, location, usage logs | Global | ISO 27001, SOC 2, GDPR compliant |
| Vercel Inc. | Hosting / deployment | Account data, usage metadata, deployment logs, support communication | US / Global | ISO 27001 |
| DoiT | Multi-cloud optimization & management | Usage data, billing data, support communications | EU / Global | ISO 27001, SOC 2 |
| Servers.com Inc | Bare metal hosting & colocation | Customer data, server logs, account data | EU / US / Global | ISO 27001, SOC 2 |
| Latitude.sh | Bare metal & edge infrastructure | Account data, usage data, support logs | US / EU | SOC 2, ISO 27001 |
| Cloudflare, Inc. | CDN, DNS, DDoS protection & security | IP addresses, traffic data, cached content, logs | Global | ISO 27001, SOC 2 Type II, GDPR aligned |
Security & Monitoring
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| PagerDuty, Inc. | Incident management / alerts | Names, email, job titles, IP, activity logs | US | SOC 2 |
| Twingate Inc. | Network security / VPN | Account info, usage logs, device/network data | US / Global | SOC 2, ISO 27001 |
| 1Password | Password & credential management | Name, email, phone, job title | Global | ISO 27001 |
| Absence | Leave & absence management | Name, email, job title, department, leave types, leave dates, duration, optional reason, leave balance, working hours, clock-in/out, doctor's notes, approver details | Germany (EU) | GDPR compliant, contractual and technical security measures |
| Veriff | Identity verification (KYC) | ID documents, biometric data, video selfies, verification metadata | EU (Estonia), US | ISO 27001, ISO 27701, GDPR aligned |
| Vanta | Compliance & security automation platform | Account information, service metadata, usage and log data, cookies, device and location info | US / Global | ISO-aligned security measures, EU-U.S. Data Privacy Framework |
| Adaptive Security | Cybersecurity & risk detection services | Personal information as processed per service (general & security metadata) | US / Global | Adheres to EU-U.S., UK & Swiss Data Privacy Frameworks |
| XFA | Zero trust device security & compliance | Device identifiers/status, organization account details, email only when linked | Ireland (AWS Ireland) / EU | Encryption at rest/in transit, privacy-by-design |
| Aikido Security | Application security & vulnerability monitoring | IP addresses, code metadata, logs, security events | EU (Belgium) | GDPR compliant, ISO-aligned |
Communications & Support
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| Slack | Team messaging & collaboration | User accounts, messages, workspace/channel data, IP | US / EU | SOC 2 Type II |
| Zendesk.com – IRE | Customer support / ticketing | Customer profiles, tickets, feedback | EU / US | SOC 2 |
| HubSpot | CRM, marketing & customer engagement | Personal email addresses, CRM records | US / EU | SOC 2, SCCs, GDPR compliant |
Analytics & Operations / AI Automation
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| OpenAI | AI conversation / analysis | Inputs, account info, payment data, IP, usage patterns | US / Global | SOC 2, ISO 27001 |
| Greenhouse | Candidate & recruitment analytics | Candidate info, resumes, tax jurisdiction, expected CTC | US / Global | ISO 27701 |
| Datadog, Inc. | Monitoring & analytics | Name, email, IP, device location, usage data | US / EU | SOC 2 Type II, ISO 27001 |
Payment Processing
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| Deel | Contractor payroll & payments | Name, bank info, tax IDs, government IDs | US / Global | SOC 2 |
| Revolut Business | Payment processing | ID, EIN, proof of activity, directors/shareholders | EU / Global | SOC 2, ISO 27001 |
| PowerOffice Go (POGO) | Payroll & invoicing communication | Employee payroll, invoices, receipts | Norway / EU | GDPR compliant |
| Zoho | Financial, accounting & business operations | Company info, tax IDs, bank details, financial records, vendor & user data | Global | ISO 27001, GDPR compliant |
Development & Collaboration Tools
| Subprocessor | Purpose | Data Processed | Location | Safeguards / Certifications |
|---|---|---|---|---|
| GitHub, Inc. | Code repository / collaboration | Account data, usage logs, billing info | US / Global | ISO 27001 |
| Figma | Design & collaboration | Account info, design files, version history | US / EU | ISO 27001 |
| Notion | Collaboration & documentation | Account info, documents, usage logs | US | SOC 2, ISO 27001 |
| Linear | Project management | Account data, profile, passwords | Global | SOC 2 Type II, GDPR compliant |
| DocuSign Inc. | E-signature & contract management | Names, emails, signed documents, IP addresses, logs | US / EU | ISO 27001, SOC 2 Type II |
| Docker Inc | Container platform & image registry | Account data, usage telemetry, IP addresses, logs | US / Global | SOC 2 Type II, ISO 27001 |
| FireHydrant | Incident management and response platform | Account data (name, email), payment data, authentication data, system logs, IP addresses, device/usage data, support requests | US / Global | Standard security measures, contractual controls |